SwitchRoleMastery: Your Step-by-Step Guide to AWS Cross-Account Access

8 min readJan 22, 2024

Introduction:

Embarking on the AWS journey of cross-account IAM roles, this guide illuminates the path to secure, efficient, and least-privileged access. With a focus on read-only permissions from one AWS account to another, we navigate the intricacies of IAM configuration. Stepping into the AWS Management Console, we set the stage, define trust relationships, and create roles with precision. The essence lies in seamlessly switching roles, empowering IAM users to observe without modifying. As we traverse the crossroads of AWS IAM, this narrative encapsulates not just steps but a narrative of empowerment in resource management and security. Welcome to the convergence of accessibility and principled AWS IAM.

Embarking on the AWS journey of cross-account IAM roles, this guide focuses on readonly permissions from Account A to Account B.

Glance about the used AWS Accounts:

Account A: The Account where resource need to be accessed by Account B.

Account B: The Account which is trying to access Account A Resources

Steps:

⇒ Step 1: Set Up Trust Relationship in Account A

Begin the process by logging in to the AWS Management Console using the credentials associated with Account A. Once logged in, proceed to open the IAM console. This console serves as the central hub for managing identity and access within the AWS environment.

Visit the AWS Management Console and enter the credentials associated with Account A.

2. Access IAM Console:

Navigate to the “Services” dropdown menu and select “IAM” under the “Security, Identity, & Compliance” section. Alternatively, you can type “IAM” in the AWS Management Console search bar and select the IAM service.

By successfully accessing the IAM console in Account A, you are ready to initiate the creation and configuration of IAM roles that will enable cross-account readonlyaccess. Proceed to the next steps for a comprehensive guide on setting up these roles effectively.

⇒ Step 2: Create an IAM Role (Account A)

Navigate to IAM Console:

In the IAM console, located in the AWS Management Console, select “Roles” from the left navigation pane. This step positions you to create a new IAM role in Account A.

2. Initiate Role Creation:

Click on the “Create role” button to begin the process of defining a new IAM role that will establish cross-account access.

3. Specify Trusted Entity:

Choose “Another AWS account” as the type of trusted entity. This selection signifies that the trust relationship will be established with an AWS account other than the current one (Account A).

4. Enter AWS Account ID (Account B):

Enter the AWS Account ID associated with Account B. This step establishes the trust relationship between Account A and Account B, allowing for the delegation of permissions.

5. Attach ReadOnlyAccess Policy:

To grant the necessary permissions for readonly access, attach the predefined ReadOnlyAccess policy to the role. This policy encapsulates the essential permissions required for viewing resources without the ability to make changes.

6. Review and Create Role:

Review the configuration settings and details of the IAM role. Ensure that the trust relationship, AWS Account ID, and attached policy align with the intended readonly access setup. Once satisfied, proceed to create the role.

By completing these steps, you set the foundation for cross-account readonly access, enabling Account B to observe resources in Account A without altering their configurations. The IAM role acts as the conduit for secure and controlled access between the two AWS accounts. Proceed to the next steps to refine and finalize the cross-account IAM configuration.

⇒ Step 3: Verify Trust Relationship (Account A)

Select the Newly Created Role:

In the IAM console, choose the recently created role from the list. This is the role that establishes the trust relationship between Account A and Account B for cross-account access.

2. Navigate to Trust Relationships:

Within the selected role, go to the “Trust relationships” tab. This tab contains information about the trust relationship established between this role and other AWS.

3. Edit Trust Relationship:

Click on the “Edit trust relationship” button. This action allows you to modify and define the trust policy that dictates which entities are permitted to assume the role.

4. Define Trust Policy:

Within the trust policy editor, define a trust policy that explicitly permits Account B to assume the role. The trust policy should specify the conditions under which the role can be assumed, ensuring secure and controlled access.

Example Trust Policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::ACCOUNT-B-ID:root"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Ensure to replace “ACCOUNT-B-ID” with the actual AWS Account ID of Account B.

5. Save Changes:

After defining the trust policy, save the changes. This step finalizes the trust relationship configuration, allowing Account B to assume the IAM role in Account A.

By defining a precise trust policy, you establish a secure channel for cross-account access. This trust relationship ensures that only authorized entities, specifically Account B in this case, can assume the IAM role in Account A. Proceed to the next steps to complete the configuration and validate the readonly access setup.

⇒ Step 4: Obtain Role ARN (Account A)

Copy Role ARN:

From the IAM console in Account A, select the role that was created in Step 2. Within the role details, locate and copy the Amazon Resource Name (ARN) associated with this IAM role. This unique identifier is crucial for configuring cross-account access in Account B.

⇒ Step 5: Switch Role (Account B) using IAM User Credentials

Using the credentials of an IAM user in Account B (with administrator access), log in to the AWS Management Console. Visit console.aws.amazon.com and enter the IAM user’s login details.

2. Access Switch Role from Taskbar:

On the right side of the AWS Management Console taskbar, locate and select the “Switch Role” icon.

3. Enter Role Details in Switch Role Wizard:

Within the “Switch Role” wizard:
Account: Add the Account ID of Account A.
Role: Specify the name of the IAM role created in Account A.
Display Name: Enter a name for display purposes, providing clarity on the role being assumed (e.g., “ReadOnlyRole_AccountA”).

4. Complete the Switch Role:

Follow the prompts in the “Switch Role” wizard, ensuring the correct Account ID, Role name, Display Name, and IAM user credentials are entered. Complete the process to switch to the specified role in Account A.

This streamlined approach simplifies the switch role process by directly entering the required details within the “Switch Role” wizard. It allows the IAM user in Account B to seamlessly assume the designated role in Account A, facilitating secure and controlled cross-account access for readonly permissions. Proceed to validate and confirm the successful readonly access in the subsequent steps.

⇒ Step 6: Verify ReadOnly Access (Account B)

Post Switch Role:

After successfully switching to the role in Account A, attempt to access resources in Account A using the AWS Management Console.

2. Confirm Limited Permissions:

Verify that the permissions associated with the assumed role are limited to readonly actions. Attempt actions such as viewing resources, analyzing configurations, or retrieving information without the ability to make changes.

3. Resource Accessibility Check:

Navigate to different AWS services within Account A, such as Amazon S3, EC2, or CloudWatch. Confirm that while the IAM user in Account B can observe and gather insights, any attempts to modify or delete resources are restricted.

4. Review IAM Policies:

Ensure that the IAM policies attached to the IAM role in Account A explicitly grant readonly access. Check for policies such as ReadOnlyAccess and customize as needed to align with specific resource requirements.

5. Log and Monitor Activities:

Leverage AWS CloudTrail and CloudWatch Logs to monitor activities and verify that the IAM user’s actions align with the readonly permissions granted by the role. This provides a comprehensive audit trail for accountability.

By rigorously testing and confirming readonly access, you ensure that the cross-account IAM setup is functioning as intended. This step is crucial in maintaining the integrity of the access control model, allowing Account B to effectively observe and analyze resources in Account A while adhering to the principle of least privilege.

Conclusion:

In the evolving landscape of AWS, mastering cross-account IAM roles is more than a technical feat — it’s a strategic imperative. As we conclude this journey through the intricacies of IAM configuration, let’s not just appreciate the steps but the empowerment it brings to organizations. The principle of least privilege is not just a concept; it’s a practice we’ve woven into the fabric of AWS IAM, ensuring secure, efficient, and principled resource management.

As you embark on your own AWS ventures, remember that these IAM configurations aren’t just about access; they’re about accountability and control. Stay curious, stay secure, and may your AWS endeavors be both seamless and secure.

For further insights, discussions, or if you simply want to connect and explore more about AWS and cloud technologies, feel free to connect with me on LinkedIn. Let’s continue the conversation beyond this guide and foster a community of AWS enthusiasts and security advocates. Together, we navigate the ever-evolving cloud landscape.

Happy AWS navigating!!!!!!!
Connect with me on LinkedIn

SwitchRoleMastery: Your Step-by-Step Guide to AWS Cross-Account Access

Table of Contents:

Introduction:

Glance about the used AWS Accounts:

Steps:

Conclusion:

Written by Mohasina Clt