Multi-account AWS (or multi-subscription Azure / multi-project GCP) is the norm. Production in one account, staging in another, security tooling in a third, sometimes dozens of accounts across business units. Each cross-account boundary is a potential attack surface β and when misconfigured, a path from one compromised account to many.
Why multi-account
- Blast-radius limitation β a compromised prod account shouldn’t affect staging
- Compliance β isolate regulated workloads
- Billing separation by team/product
- Quota isolation
- Principle of least privilege across teams
Cross-account trust β the sharp edges
Over-broad trust policies
Classic mistake:
{
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::999999999999:root"},
"Action": "sts:AssumeRole"
}“:root” in trust policy means “any principal in account 999 with AssumeRole permission can assume this role.” You’ve delegated trust to the entire other account β including any compromised user or service there.
π Advanced Module Β· Pro Tier
Continue reading with Pro tier (βΉ4,999/year)
You've read 27% of this module. Unlock the remaining deep-dive, quiz, and every other Advanced/Expert module.
136+ modulesAll levels up to this tier
20-question quizzesUnlimited retries with explanations
Completion certificatesShareable on LinkedIn
5 more sections locked below