Today I learned! AWS gives you the ability to allow users of one account (let’s give it account number 5555–5555–5555) to assume a role in another (we’ll give it 6666–6666–6666). This is pretty straightforward stuff that, as an AWS administrator, you’ll learn sooner rather than later. AWS provides a tutorial here: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html
What I learned is that you can further restrict access to the role to certain users within an account with a properly crafted conditional statement. I’ve wondered about this for a long time and either a co-worker or someone much smarter than myself figured it out. Thanks, smart person!
Let’s examine the trust policy of such an IAM role. In the 6666–6666–6666 account, there’s a role called “RemoteAdmins,” so its ARN is arn:aws:iam::666666666666:role/RemoteAdmins. Its trust policy states two things. First, users assuming the role must have already authenticated using two-factor auth (aws:MultiFactorAuthPresent = true). Second, only selected users from the 5555–555–5555 account may assume this role (StringEquals = aws:username, being one of the usernames in the list).
Brilliant! Unfortunately, I’m not aware of a way to declare that only members of a group may assume a role. If you are aware a way to grant cross-account access to groups, drop a comment :)