Cross-Account Read-Only Role
Let a trusted external account (e.g. a security tool or parent org account) read resources without write access.
Policy
Replace the placeholder ARNs (YOUR-BUCKET-NAME, ACCOUNT_ID, REGION, etc.) with your real resource identifiers before use.
{
"TrustPolicy": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::TRUSTED_ACCOUNT_ID:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "YOUR-UNIQUE-EXTERNAL-ID"
}
}
}
]
},
"IdentityPolicy": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ReadOnlyAccess",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket",
"ec2:Describe*",
"iam:Get*",
"iam:List*"
],
"Resource": "*"
}
]
}
}Why it's scoped this way
- The sts:ExternalId condition exists specifically to prevent the "confused deputy" problem — without it, anyone who learns the role ARN and has any foothold in TRUSTED_ACCOUNT_ID (including via a third-party SaaS that reuses account IDs across customers) could assume this role. Never omit it on a cross-account trust policy.
- The External ID should be a long random value known only to you and the trusted party — treat it like a shared secret, not a label.
- IdentityPolicy actions are all read verbs (Get/List/Describe) — no Put, Delete, Create, or Update anywhere, so even a leaked assumption of this role cannot modify the account.
Hardening it further
- Prefer AWS managed ReadOnlyAccess or SecurityAudit policies over hand-rolling this list if the consuming tool needs broad read access — they are curated and updated by AWS.
- Add an aws:SourceIp or aws:PrincipalTag condition if the trusted account's access should additionally be restricted by network origin.
Paste your finished policy into the free AI-Powered IAM analyzer to catch anything you loosened while filling it in.
Related templates
Check your finished policy — free
Shieldly's AI-Powered analyzer flags privilege-escalation paths, wildcards, and risky PassRole in seconds. No signup, no AWS credentials. Also ships as CLI, VS Code extension, GitHub Action, and CDK Guard.
Amazon Web Services (AWS) is a trademark of Amazon.com, Inc. Shieldly is not affiliated with, endorsed by, or sponsored by Amazon Web Services.