Cloud & Infrastructure Practical By Samson Tanimawo, PhD Published Jun 7, 2026 4 min read

The Cross-Account Role Pattern That Scales

Most cross-account access starts as bespoke and ends as a tangle. The pattern with consistent role naming, scoping, and trust relationships.

Naming

RoleName format: -. Example: BackupRole-prod-from-backup-account.

Predictable; greppable; auditable.

Each role: minimum necessary permissions. No wildcards on resources.

Time-bound where possible. STS sessions instead of permanent roles.

Trust policy specifies exact principal, with external ID. Prevents confused-deputy attacks.

Reviewed annually. Trust relationships drift; review re-validates.