Cross-account access in AWS allows resources or users in one AWS account to securely access resources in another AWS account.
Key Uses:
Share resources between accounts
Example: Allow an EC2 instance in Account A to access an S3 bucket in Account B.
Centralized management
Organizations can centralize IAM roles, logging, or monitoring across multiple accounts.
Security and least privilege
Instead of sharing credentials, AWS uses roles and policies to grant temporary access.
Multi-account architectures
Useful in enterprises that separate environments (dev, test, prod) into different accounts but need selective access between them.
How It Works (High-Level)
Account B defines a role with permissions.
Account A is allowed to assume that role using AWS STS (Security Token Service).
Temporary credentials are issued, granting access to Account B’s resources.