Level 300: Lambda Cross Account IAM Role Assumption

Authors

• Ben Potter, Security Lead, Well-Architected

Introduction

This lab demonstrates a Lambda function in AWS account 1 (the origin) using Python boto SDK to assume an IAM role in account 2 (the destination), then list the buckets. If you only have 1 AWS account simply repeat the instructions in that account and use the same account id.

If in classroom and you do not have 2 AWS accounts, buddy up to use each other’s accounts, agree who will be account #1 and who will be account #2.

The skills you learn will help you secure your workloads in alignment with the AWS Well-Architected Framework.

Goals

• Cross account role assumption
• Lambda assuming another role

Prerequisites

• An AWS account that you are able to use for testing, that is not used for production or other purposes.
• An IAM user with MFA enabled that can assume roles in your AWS account. NOTE: You will be billed for any applicable AWS resources used if you complete this lab that are not covered in the AWS Free Tier.

Steps:

• Create role for Lambda in account 2
• Create role for Lambda in account 1
• Create Lambda in account 1
• Tear down

References & useful resources

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html