← Back to Labs Principal LAB

AWS · Identity · Cross-Account Trust

AWS Cross-Account Role Escalation

Principal LAB modeling deterministic AWS cross-account trust reachability through sts:AssumeRole, Shield finding linkage, and Aegis Runtime identity signal mapping.

Status Principal
Shield Finding shield-xacct-001
Aegis Signal IDENTITY_DRIFT_DETECTED
Authority OPA

Overview

This lab teaches how a permissive cross-account trust policy can create a deterministic privilege path from an external principal into a privileged AWS account role.

Read-only Deterministic Shield-linked Aegis Runtime-linked

Concept Deep Dives

Expand these concepts when teaching cross-account trust and AssumeRole escalation.

What is cross-account trust?

Cross-account trust allows a principal in one AWS account to assume a role in another account. This is a normal enterprise pattern, but it must be constrained to specific trusted principals and conditions.

What is sts:AssumeRole?

sts:AssumeRole lets a principal request temporary credentials for a role. The final decision depends on both the caller's permissions and the target role's trust policy.

Why does trust policy shape blast radius?

A permissive trust policy can allow external identities to enter a privileged account boundary. If the target role has administrative permissions, the blast radius becomes the target account.

What should reviewers look for?
  • Trusting account root instead of specific roles.
  • Missing ExternalId conditions for third-party access.
  • Administrative target roles reachable from external accounts.
  • AssumeRole permissions that are broader than intended.

Identity Path

External Account Principal
    →
sts:AssumeRole
    →
Privileged Account Role
    →
AdministratorAccess / Expanded Blast Radius

Shield Detection

What Shield Detects

  • External principal is trusted by a target account role
  • Trust policy allows sts:AssumeRole
  • Target role has elevated or administrative permissions
  • The resulting path creates deterministic cross-account reachability risk

Finding Contract

Cross-Account Role Escalation Path Detected
shield-xacct-001

Aegis Runtime Mapping

This lab maps to Aegis Runtime / Decision Intelligence as a bounded identity integrity signal.

Expected Signal

IDENTITY_DRIFT_DETECTED

Decision Boundary

Runtime = source of truth
OPA = decision authority
Aegis = bounded intelligence
Frontend = rendering only

Governance Boundary

This lab is read-only and deterministic.

  • Does not exploit AWS
  • Does not mutate a customer environment
  • Does not deploy live infrastructure
  • Does not assume a real AWS role
  • Does not execute remediation
  • Does not override OPA
  • Does not treat Aegis as enforcement authority

Source Artifacts

metadata.jsonLab identity and maturity metadata
architecture.mdTrust model and deterministic reasoning
runtime-mapping.jsonAegis Runtime linkage contract
mgf-sync.lab.jsonMGF ingestion sync artifact