IAM role cross-account trust should only reference organization accounts

iam
Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Description

IAM role trust policies that allow cross-account access should only reference principals from AWS accounts within the same organization. Trust policies that reference external account IDs may indicate unapproved cross-account access that has not been registered with the security engineering team. All cross-account trust relationships should be reviewed and approved to ensure they follow least-privilege principles and organizational access policies.

Remediation

Review the IAM role’s trust policy to verify that all cross-account principals are from accounts within the organization. Remove or update trust relationships that reference external accounts unless they have been explicitly approved and registered. For guidance, refer to Update a role trust policy.