For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/def-000-2bf.md. A documentation index is available at /llms.txt.

IAM role cross-account trust should only reference organization accounts

iam

Description

IAM role trust policies that allow cross-account access should only reference principals from AWS accounts within the same organization. Trust policies that reference external account IDs may indicate unapproved cross-account access that has not been registered with the security engineering team. All cross-account trust relationships should be reviewed and approved to ensure they follow least-privilege principles and organizational access policies.

Remediation

Review the IAM role’s trust policy to verify that all cross-account principals are from accounts within the organization. Remove or update trust relationships that reference external accounts unless they have been explicitly approved and registered. For guidance, refer to Update a role trust policy.