Subscribe to the Non-Human & AI Identity Journal

How should security teams govern AWS cross-account trust policies?

Security teams should govern AWS cross-account trust as a hierarchy problem, not a simple permission setting. Each trust path should be reviewed for source account sensitivity, destination account sensitivity, and the downstream privileges it unlocks. The safest pattern is downstream-only trust, where less secure accounts never assume roles in more sensitive environments.

Why This Matters for Security Teams

Cross-account trust in AWS is rarely just an IAM hygiene issue. It is a privilege propagation problem: one role assumption can unlock data movement, deployment rights, or administrative reach across multiple accounts. That is why governance has to evaluate the source account, the destination account, and the privileges behind the trusted role, not just the trust policy text. NIST Cybersecurity Framework 2.0 reinforces this risk-based approach to access governance, and NHIMG’s Top 10 NHI Issues highlights how over-privileged non-human access and weak lifecycle controls turn trust relationships into attack paths.

The practical danger is that trust policies often age faster than the workloads they support. A relationship created for one integration later gets reused by a different team, a pipeline, or an automation service, and the original risk review is forgotten. Once that happens, a compromise in the less sensitive account can become a direct stepping stone into the more sensitive one. In practice, many security teams discover cross-account abuse only after a pipeline, vendor integration, or automation role has already been used to reach a higher-value environment.

How It Works in Practice

Effective governance starts by treating each trust path as a documented dependency with an owner, a business purpose, and a blast radius. The most secure pattern is downstream-only trust, where less sensitive accounts may be allowed to assume narrowly scoped roles in more sensitive accounts, but not the reverse. That reduces the chance that a development or tooling account becomes an entry point into production or regulated environments.

Security teams should review each trust policy for three questions: what can assume the role, what conditions must be met, and what the assumed role can do after entry. In AWS, that usually means checking principal scope, external ID usage where appropriate, session duration, permission boundaries, and whether the target role can chain into even broader access. The Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs is useful here because trust policy review should be part of continuous lifecycle control, not a one-time architecture task.

  • Inventory every cross-account trust relationship and map it to a named service, pipeline, or owner.
  • Classify both accounts by sensitivity, then prohibit reverse trust from lower trust zones into higher trust zones unless there is a documented exception.
  • Limit principals to the narrowest possible identity, not a broad account or wildcard pattern.
  • Use explicit conditions, short session durations, and monitoring on every AssumeRole event.
  • Review downstream permissions, because a harmless-looking trust can still unlock powerful actions after role assumption.

For operational baselines, the NIST Cybersecurity Framework 2.0 supports this kind of access governance, while NHIMG’s 230M AWS environment compromise research shows how quickly cloud trust mistakes can become systemic exposure. These controls tend to break down when organisations rely on inherited trust between accounts that were never designed to share the same security boundary.

Common Variations and Edge Cases

Tighter trust controls often increase operational overhead, requiring teams to balance security isolation against deployment speed and platform reuse. That tradeoff becomes sharper in organisations with shared services, centralized CI/CD, or third-party integrations, where one role may legitimately serve many accounts. Current guidance suggests using explicit exceptions with compensating controls rather than broad reusable trust, but there is no universal standard for this yet.

One common edge case is break-glass access. Emergency access roles may need broader trust than normal production roles, but they should still be isolated, heavily logged, and time-bounded. Another is vendor access, where an external principal may require cross-account assumptions to support automation. In those cases, the trust path should be narrower than the normal human admin path and should be reviewed as part of third-party risk management. NHIMG’s The State of Non-Human Identity Security is a useful reminder that poor rotation, weak logging, and over-privileged accounts are still among the most common failure modes.

Security teams should also watch for role chaining, because a trust policy that looks limited on first entry can become much broader after the assumed role is used inside the destination account. That is why trust governance has to include downstream permissions and session behavior, not just the initial assume condition. The safest rule remains simple: if a lower-trust account can assume into a higher-trust account, every subsequent permission path must be assumed compromised until proven otherwise.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-03 Cross-account trust depends on controlling credential lifecycle and misuse risk.
NIST CSF 2.0 PR.AC-4 Directly addresses least-privilege access management across accounts.
NIST Zero Trust (SP 800-207) SC-7 Cross-account trust should be treated as a trust-boundary decision.

Constrain cross-account assumptions with explicit trust boundaries and continuous verification.