Page History

Note that the bad-actor Role didn't have anything to do with our creation of the example-role-NETID Role in our account and trusting the bad-actor Role. Someone (or something) with appropriate IAM privileges to our account is the only way that example-role-NETID was created or configured.

Just because a Role within your AWS account trusts IAM Roles or Users from another account, doesn't mean that access is inappropriate or unnecessary. Cross-account access is perfectly fine and often necessary. For example, that is how CloudCheckr accesses our Cornell AWS accounts to do the information gathering it does to provide its services to Cornell.