Cross-account access reviewed
Demonstrate that all cross-account access permissions are inventoried, reviewed at defined intervals, supported by documented business justifications, and that unauthorized or obsolete trust relationships are identified and remediated.
Description
What this control does
Cross-account access reviewed is a control requiring periodic evaluation of all trust relationships, IAM roles, and federated access permissions that allow users or services from one cloud account (or tenant) to access resources in another. Organizations maintain inventories of cross-account access grants, document business justifications, and conduct scheduled reviews—typically quarterly or semi-annually—to identify and revoke unnecessary or risky permissions. This control prevents privilege creep, reduces blast radius from compromised accounts, and ensures that external trust relationships remain aligned with current business needs and least-privilege principles.
Control objective
What auditing this proves
Demonstrate that all cross-account access permissions are inventoried, reviewed at defined intervals, supported by documented business justifications, and that unauthorized or obsolete trust relationships are identified and remediated.
Associated risks
Risks this control addresses
- Compromised external account leveraging stale cross-account trust to exfiltrate sensitive data or deploy ransomware laterally across cloud environments
- Overprivileged cross-account IAM roles granting broader permissions than required, violating least-privilege and enabling unauthorized resource modification
- Orphaned trust relationships to decommissioned accounts or former business partners persisting indefinitely and creating hidden attack vectors
- Lack of visibility into federated or assumed-role access patterns enabling insider threats to pivot across organizational boundaries undetected
- Unauthorized cross-account access established by rogue administrators or developers bypassing change control and security approval processes
- Compliance violations due to unreviewed third-party vendor access exceeding contract scope or data processing agreements
- Resource hijacking or cryptomining attacks originating from trusted external accounts whose security posture has degraded over time
Testing procedure
How an auditor verifies this control
- Obtain the organization's inventory of all cross-account access relationships, including IAM roles with cross-account trust policies, resource-based policies granting external principal access, and federation configurations.
- Review the documented cross-account access review policy to confirm review frequency, ownership assignments, approval workflows, and criteria for retaining or revoking access.
- Select a representative sample of cross-account trust relationships spanning different service types (compute, storage, database) and external entities (partners, vendors, subsidiaries).
- For each sampled relationship, retrieve the most recent review record including reviewer identity, review date, business justification, and approval evidence.
- Compare the inventory timestamp and review dates to the policy-mandated review frequency to identify overdue reviews or gaps in the review cycle.
- Cross-reference each sampled cross-account role or policy against current business documentation (contracts, project charters, system architecture diagrams) to verify ongoing business need.
- Examine cloud audit logs (CloudTrail, Azure Activity Log, GCP Cloud Audit Logs) for the sampled cross-account roles to verify actual usage patterns align with documented justifications.
- Validate that remediation actions—such as role deletion, policy restriction, or condition tightening—were implemented for any access identified as obsolete or excessive during prior reviews by examining change tickets and configuration history.
Where this control is tested