---
title: IAM role cross-account trust should only reference organization accounts
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > IAM role cross-account trust should
  only reference organization accounts
---

# IAM role cross-account trust should only reference organization accounts
 
## Description{% #description %}

IAM role trust policies that allow cross-account access should only reference principals from AWS accounts within the same organization. Trust policies that reference external account IDs may indicate unapproved cross-account access that has not been registered with the security engineering team. All cross-account trust relationships should be reviewed and approved to ensure they follow least-privilege principles and organizational access policies.

## Remediation{% #remediation %}

Review the IAM role's trust policy to verify that all cross-account principals are from accounts within the organization. Remove or update trust relationships that reference external accounts unless they have been explicitly approved and registered. For guidance, refer to [Update a role trust policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_update-role-trust-policy.html).