All IAM policy templates
AWS IAM policy template • IAM / STS

Cross-Account Read-Only Role

Let a trusted external account (e.g. a security tool or parent org account) read resources without write access.

Policy

Replace the placeholder ARNs (YOUR-BUCKET-NAME, ACCOUNT_ID, REGION, etc.) with your real resource identifiers before use.

{
  "TrustPolicy": {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Principal": {
          "AWS": "arn:aws:iam::TRUSTED_ACCOUNT_ID:root"
        },
        "Action": "sts:AssumeRole",
        "Condition": {
          "StringEquals": {
            "sts:ExternalId": "YOUR-UNIQUE-EXTERNAL-ID"
          }
        }
      }
    ]
  },
  "IdentityPolicy": {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Sid": "ReadOnlyAccess",
        "Effect": "Allow",
        "Action": [
          "s3:GetObject",
          "s3:ListBucket",
          "ec2:Describe*",
          "iam:Get*",
          "iam:List*"
        ],
        "Resource": "*"
      }
    ]
  }
}

Why it's scoped this way

  • The sts:ExternalId condition exists specifically to prevent the "confused deputy" problem — without it, anyone who learns the role ARN and has any foothold in TRUSTED_ACCOUNT_ID (including via a third-party SaaS that reuses account IDs across customers) could assume this role. Never omit it on a cross-account trust policy.
  • The External ID should be a long random value known only to you and the trusted party — treat it like a shared secret, not a label.
  • IdentityPolicy actions are all read verbs (Get/List/Describe) — no Put, Delete, Create, or Update anywhere, so even a leaked assumption of this role cannot modify the account.

Hardening it further

  • Prefer AWS managed ReadOnlyAccess or SecurityAudit policies over hand-rolling this list if the consuming tool needs broad read access — they are curated and updated by AWS.
  • Add an aws:SourceIp or aws:PrincipalTag condition if the trusted account's access should additionally be restricted by network origin.

Paste your finished policy into the free AI-Powered IAM analyzer to catch anything you loosened while filling it in.

Related templates

Check your finished policy — free

Shieldly's AI-Powered analyzer flags privilege-escalation paths, wildcards, and risky PassRole in seconds. No signup, no AWS credentials. Also ships as CLI, VS Code extension, GitHub Action, and CDK Guard.

Amazon Web Services (AWS) is a trademark of Amazon.com, Inc. Shieldly is not affiliated with, endorsed by, or sponsored by Amazon Web Services.