Level 300: Lambda Cross Account IAM Role Assumption


  • Ben Potter, Security Lead, Well-Architected


This lab demonstrates a Lambda function in AWS account 1 (the origin) using Python boto SDK to assume an IAM role in account 2 (the destination), then list the buckets. If you only have 1 AWS account simply repeat the instructions in that account and use the same account id.

If in classroom and you do not have 2 AWS accounts, buddy up to use each other’s accounts, agree who will be account #1 and who will be account #2.

The skills you learn will help you secure your workloads in alignment with the AWS Well-Architected Framework.


  • Cross account role assumption
  • Lambda assuming another role


  • An AWS account that you are able to use for testing, that is not used for production or other purposes.
  • An IAM user with MFA enabled that can assume roles in your AWS account. NOTE: You will be billed for any applicable AWS resources used if you complete this lab that are not covered in the AWS Free Tier.


References & useful resources