IAM role cross-account trust should only reference organization accounts

iam
이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Description

IAM role trust policies that allow cross-account access should only reference principals from AWS accounts within the same organization. Trust policies that reference external account IDs may indicate unapproved cross-account access that has not been registered with the security engineering team. All cross-account trust relationships should be reviewed and approved to ensure they follow least-privilege principles and organizational access policies.

Remediation

Review the IAM role’s trust policy to verify that all cross-account principals are from accounts within the organization. Remove or update trust relationships that reference external accounts unless they have been explicitly approved and registered. For guidance, refer to Update a role trust policy.