How to Create a Role for Cross-Account Access Using AWS IAM Role and External ID

In today’s multi-account AWS environments, granting cross-account access is crucial for managing resources securely and efficiently. By using AWS Identity and Access Management (IAM), you can create roles that allow users in one AWS account to access resources in another. This guide will walk you through the steps to create a role for cross-account access using an IAM role and an external ID, ensuring compliance with FedRAMP and leveraging Cloud Access Security Brokers (CASB) for enhanced security.

Prerequisites

Before you begin, ensure you have:

• AWS Management Console access
• Administrator privileges in both the source and target AWS accounts

Step-by-Step Guide

1. Sign in to the Target Account

Log in to the AWS Management Console of the account that owns the resources you want to grant access to (the target account).

2. Create an IAM Role

• Navigate to the IAM service.
• Select Roles from the left-hand menu.
• Click Create role.
• Choose Another AWS account as the trusted entity.
• Enter the Account ID of the source account (the account that will assume the role).

3. Add External ID

• Expand the Options section.
• Enter a unique External ID. This ID will be used by the source account to assume the role securely.
• (Optional) Specify a Require MFA option if you want to enforce multi-factor authentication.

4. Attach Policies

• Click Next: Permissions.
• Attach the required policies that grant permissions to the target account’s resources. You can either use existing policies or create a custom policy.

5. Review and Create

• Click Next: Tags (optional) to add tags to the role for easier management.
• Click Next: Review to review your choices.
• Enter a Role name and an optional Description.
• Click Create role.

6. Grant Permission in the Source Account

• Log in to the AWS Management Console of the source account.
• Navigate to IAM and select Policies.
• Click Create policy and define a policy that allows assuming the role in the target account. For example:

{

    “Version”: “2012-10-17”,

    “Statement”: [

        {

            “Effect”: “Allow”,

            “Action”: “sts:AssumeRole”,

            “Resource”: “arn:aws:iam::<TARGET_ACCOUNT_ID>:role/<ROLE_NAME>”

        }

    ]

}

• Attach this policy to the IAM user or group that will assume the role.

7. Assume the Role in the Source Account

Using the AWS SDK or CLI, you can now assume the role by providing the role ARN and the external ID. For example, using AWS CLI:

aws sts assume-role \

    –role-arn arn:aws:iam::<TARGET_ACCOUNT_ID>:role/<ROLE_NAME> \

    –role-session-name SessionName \

    –external-id <EXTERNAL_ID>

Conclusion

Following these steps, you can securely grant cross-account access using AWS IAM roles and external IDs, ensuring compliance with FedRAMP standards and leveraging Cloud Access Security Brokers (CASB) to enhance security. This setup secures your AWS environment and streamlines cross-account resource management.

References

How to use an external ID when granting access to your AWS resources to a third party PDF