Level 300: Lambda Cross Account IAM Role Assumption
- Ben Potter, Security Lead, Well-Architected
This lab demonstrates a Lambda function in AWS account 1 (the origin) using Python boto SDK to assume an IAM role in account 2 (the destination), then list the buckets. If you only have 1 AWS account simply repeat the instructions in that account and use the same account id.
If in classroom and you do not have 2 AWS accounts, buddy up to use each other’s accounts, agree who will be account #1 and who will be account #2.
The skills you learn will help you secure your workloads in alignment with the AWS Well-Architected Framework.
- Cross account role assumption
- Lambda assuming another role
- An AWS account that you are able to use for testing, that is not used for production or other purposes.
- An IAM user with MFA enabled that can assume roles in your AWS account.
NOTE: You will be billed for any applicable AWS resources used if you complete this lab that are not covered in the AWS Free Tier.
References & useful resources