Cross-Account Role Abuse

Required Permissions

Description

Cross-account role assumption allows principals in one AWS account to temporarily access resources in another. When trust policies are misconfigured, attackers can pivot across account boundaries.

Common misconfigurations:

- **Trusting an entire account** — The trust policy specifies an account ID as principal without restricting to specific roles - **Missing external ID** — No ExternalId condition, making the role vulnerable to confused deputy attacks - **Stale trust relationships** — Roles still trust accounts that should no longer have access - **Circular trust** — Account A trusts Account B, which trusts Account A, creating infinite role chains

An attacker who compromises a principal in one account can systematically enumerate and attempt to assume cross-account roles, potentially gaining access to production accounts from a compromised development account.

In AWS Organization environments, this can cascade across dozens of accounts if trust policies are not carefully managed.

Impact

Access to resources in other AWS accounts. Can cascade across an entire AWS Organization.

Detection

Monitor CloudTrail for cross-account AssumeRole calls. Alert on role assumptions from unexpected source accounts.

Mitigation

Restrict trust policies to specific role ARNs, not entire accounts. Require ExternalId for third-party access. Regularly audit cross-account trust relationships. Use SCPs to limit which accounts can be assumed into.