---
title: RCP should deny cross-account role assumption from outside the Organization
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > RCP should deny cross-account role
  assumption from outside the Organization
---

# RCP should deny cross-account role assumption from outside the Organization
 
## Description{% #description %}

A Resource Control Policy (RCP) should deny all cross-account role assumption methods from principals outside the AWS Organization. Without this control, IAM roles in member accounts can be assumed by any external AWS principal that satisfies the role's trust policy, creating a lateral-movement risk and potential data exfiltration path.

This rule verifies that an RCP denies **all three STS role assumption actions** when `aws:PrincipalOrgID` does not match the organization ID:

- `sts:AssumeRole`
- `sts:AssumeRoleWithSAML`
- `sts:AssumeRoleWithWebIdentity`

Alternatively, a wildcard action (`sts:*` or `*`) satisfies the requirement. Denying only `sts:AssumeRole` is insufficient — an attacker could still use SAML or Web Identity federation to assume roles from outside the organization.

The RCP must use a `StringNotEquals` or `StringNotEqualsIfExists` condition on `aws:PrincipalOrgID` to enforce the organization boundary.

**Note:** AWS service principals should be exempted using `aws:PrincipalIsAWSService` conditions to avoid disrupting AWS service integrations. Trusted third-party accounts can be exempted using `aws:PrincipalAccount` conditions.

## Remediation{% #remediation %}

Create a Resource Control Policy that explicitly denies all three STS role assumption actions (`sts:AssumeRole`, `sts:AssumeRoleWithSAML`, `sts:AssumeRoleWithWebIdentity`) or `sts:*` using `Action` (not `NotAction`) from principals outside the organization and attach it to the organization root. The deny statement must include a `StringNotEquals` or `StringNotEqualsIfExists` condition on `aws:PrincipalOrgID`. Refer to the [RCP syntax documentation](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps_syntax.html) and the [AWS data perimeter best practices](https://aws.amazon.com/identity/data-perimeters-on-aws/) for guidance.