--- title: Cross-account IAM assume role policy without external id or MFA description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Cross-account IAM assume role policy without external id or MFA --- # Cross-account IAM assume role policy without external id or MFA {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `terraform-aws-cross-account-iam-assume-role-policy-without-external-id-or-mfa` **Provider:** AWS **Platform:** Terraform **Severity:** High **Category:** Access Control #### Learn More{% #learn-more %} - [Provider Reference](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role#assume_role_policy) ### Description{% #description %} When creating cross-account IAM roles, it's crucial to implement additional security measures like External ID or Multi-Factor Authentication (MFA) to prevent unauthorized cross-account access. Without these safeguards, your resources become vulnerable to confused deputy attacks, where a malicious third party could trick your role into performing actions they shouldn't be authorized to do. To secure your configuration, add a `Condition` block to your assume role policy that requires either an `ExternalId`,as shown in the example below, or MFA validation: ```json "Condition": { "StringEquals": { "sts:ExternalId": "98765" } } ``` ## Compliant Code Examples{% #compliant-code-examples %} ```terraform resource "aws_iam_role" "negative1" { name = "test_role" assume_role_policy = <