PROD Account (111111111111)

1: Create IAM role (ProdS3AccessRole) with right permissions

2: Establish trust relationship with DEV AWS account (222222222222)

DEV Account (222222222222)

Grant users (Ops Group) permissions to assume ProdS3AccessRole in PROD Account

1: Create a customer managed policy ProdS3AccessPolicy allowing access to call STS AssumeRole

API for ProdS3AccessRole(arn:aws:iam::111111111111:role/ProdS3AccessRole)

2: Assign the policy to users (Ops Group)

(Optional) 3: Enable MFA for assuming the role

What happens when DEV AWS account Ops user requests access to

Prod Account role?

1: Operations user requests access to the role

2: AWS STS AssumeRole API is called to check for access to ProdS3AccessRole role

3: Operations user assumes the role