Cross Account Access: Enabling Secure Resource Sharing Across AWS Accounts

In this article, we’re diving into the world of Cross Account Access – a critical aspect of managing multiple AWS accounts securely. We’ll explore why Cross Account Access is essential and delve into a hands-on demonstration of how to implement it effectively.

The Need for Cross Account Access

Imagine a scenario where an organization operates multiple AWS accounts. For instance, there might be a staging account for testing and a production account for live applications. In such cases, efficient and secure sharing of resources becomes paramount. Let’s consider a specific use case:

Scenario: Company XYZ maintains a production AWS account with a Simple Storage Service (S3) bucket housing critical objects. Simultaneously, they have a staging account for testing. A user in the staging account needs access to the S3 bucket in the production account.

The traditional approach of creating the same user in both accounts poses challenges. It leads to redundant management and security concerns. Additionally, when access is no longer required, the risk of neglecting to delete the user persists.

Solution: Cross Account Access offers a more streamlined and secure method. Instead of duplicating users, it leverages Identity and Access Management (IAM) roles. These roles facilitate access across accounts by enabling users to assume a role in another account.

Hands-On Implementation of Cross Account Access

Step 1: Defining the IAM Role in the Source Account

  1. Access the AWS Management Console of the source account (e.g., staging account).
  2. Create an IAM policy granting desired permissions (e.g., S3 read access).
  3. Create an IAM role and associate the previously created policy with it.
  4. Set the trust relationship to allow the account that needs access (e.g., production account) to assume the role.

Step 2: Configuring the Destination Account

  1. Log in to the AWS Management Console of the destination account (e.g., production account).
  2. Create or select an IAM user who will assume the role in the source account.
  3. Create an inline policy for the IAM user that allows them to assume the role created in the source account.
  4. Use the AssumeRole action and specify the ARN of the role in the source account.

Step 3: Assuming the Role and Accessing Resources

  1. Use AWS CLI or SDKs to assume the role from the IAM user in the destination account.
  2. Upon successful role assumption, you’ll receive temporary credentials.
  3. Set environment variables for the temporary credentials: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN.

Step 4: Verifying Access

  1. Use the temporary credentials to access resources in the source account (e.g., S3 bucket).


In this chapter, we’ve explored the concept of Cross Account Access and its significance in securely managing resources across AWS accounts. The traditional method of duplicating users across accounts poses challenges and security risks, which are elegantly addressed by Cross Account Access through IAM roles.

Through a hands-on demonstration, we walked through the process of setting up Cross Account Access – from defining IAM roles to assuming roles and accessing resources. By implementing this approach, organizations can ensure efficient, secure, and controlled sharing of resources across their AWS accounts, without compromising on security or user management. This marks a significant step towards optimizing the management of multi-account AWS environments.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top