Ensure that your Amazon Identity and Access Management (IAM) roles are configured to be used only by trusted (friendly) AWS accounts in order to protect against unauthorized cross-account access. Prior to running this rule by the Cloud Conformity engine, the list with the friendly AWS accounts identifiers (e.g. 123456789012) must be configured within the rule settings, on the Cloud Conformity account dashboard.
This rule can help you with the following compliance standards:
- PCI
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Allowing unknown cross-account access to your IAM roles will enable foreign accounts to assume these roles and gain control over your AWS services and resources. To prevent unauthorized cross-account access, allow only trusted entities to assume your Amazon IAM roles by implementing the appropriate policies.
Audit
To determine if there are any IAM roles configured to allow unknown cross-account access, available in your AWS cloud account, perform the following actions:
Remediation / Resolution
To update your IAM roles trust policy in order authorize only trusted (friendly) AWS accounts to assume these roles, regardless of MFA/external ID support, perform the following actions:
References
- AWS Documentation
- Identities (Users, Groups, and Roles)
- IAM Roles
- Modifying a Role
- Editing the Trust Relationship for an Existing Role
- AWS Command Line Interface (CLI) Documentation
- iam
- list-roles
- get-role
- update-assume-role-policy
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

You are auditing:
Check for Untrusted Cross-Account IAM Roles
Risk level: Medium