A company is using AWS Organizations with a multi-account architecture.

Resource-based policies are policies that you attach to a resource, such as an IAM role, to specify who can access the resource and what actions they can perform on it1. Identity-based policies are policies that you attach to an IAM user, group, or role to specify what actions they can perform on which resources2. Trust policies are special types of resource-based policies that define which principals (such as IAM users or roles) can assume a role3.

To allow an IAM user in Account A to assume a role in Account B, the solutions architect needs to do the following:

Configure the resource-based policy on the target role in Account B to allow the action sts:AssumeRole for the IAM user in Account A. This policy grants permission to the IAM user to assume the role4.

Configure the identity-based policy on the user in Account A to allow the action sts:AssumeRole for the target role in Account B. This policy grants permission to the user to perform the action of assuming the role5.

Configure the trust policy on the target role in Account B to allow the principal of the IAM user in Account A. This policy defines who can assume the role.

Resource-based policies

Identity-based policies

Trust policies

Granting a user permissions to switch roles

Switching roles

[Modifying a role trust policy]