Cross-Account Trust Relationships

Last Updated: 2026-03-02 Source: innovation-sandbox-on-aws, ndx-try-aws-lza, IAM role discovery Captured SHA: cf75b87 (ISB), 6d70ae3 (LZA)

Executive Summary

The NDX:Try AWS platform uses three cross-account trust mechanisms: GitHub OIDC for CI/CD deployments from GitHub Actions, ISB intermediate roles for hub-to-pool-account operations, and LZA/Control Tower execution roles for infrastructure management. Five GitHub Actions OIDC roles are configured in the hub account, scoped to specific co-cddo repositories. ISB Lambda functions assume an intermediate role to perform operations in the 110 sandbox pool accounts.

Trust Architecture Overview

1. GitHub OIDC Provider

Property	Value
Provider ARN	`arn:aws:iam::568672915267:oidc-provider/token.actions.githubusercontent.com`
Provider URL	`https://token.actions.githubusercontent.com`
Audience	`sts.amazonaws.com`
Account	568672915267 (Hub)

The OIDC provider enables GitHub Actions workflows to obtain temporary AWS credentials without storing long-lived secrets. All trust relationships use sts:AssumeRoleWithWebIdentity with repository-scoped conditions.

Trust Policy Pattern

All GitHub Actions roles use this trust policy structure:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::568672915267:oidc-provider/token.actions.githubusercontent.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
        },
        "StringLike": {
          "token.actions.githubusercontent.com:sub": "repo:co-cddo/<repo-name>:*"
        }
      }
    }
  ]
}

2. GitHub Actions IAM Roles

Role Name	Trusted Repository	Purpose
`github-actions-innovation-sandbox-on-aws-deployer-deploy`	`co-cddo/innovation-sandbox-on-aws-deployer`	Deploy ISB Deployer CDK stack
`GitHubActions-Approver-InfraDeploy`	`co-cddo/innovation-sandbox-on-aws-approver`	Deploy Approver CDK infrastructure
`GitHubActions-NDX-ContentDeploy`	`co-cddo/ndx`	Deploy NDX website content to S3
`GitHubActions-NDX-InfraDeploy`	`co-cddo/ndx`	Deploy NDX website CDK infrastructure
`GitHubActions-NDX-InfraDiff`	`co-cddo/ndx`	CDK diff for NDX pull request reviews

Repository-to-Role Mapping

Repositories Without OIDC Roles in Hub

The following repositories do not have visible GitHub Actions OIDC roles in the hub account. They may deploy to different accounts, use alternative authentication, or deploy manually:

innovation-sandbox-on-aws-billing-seperator
innovation-sandbox-on-aws-costs
innovation-sandbox-on-aws-utils
ndx_try_aws_scenarios
ndx-try-aws-lza (deployed via LZA pipeline in org management)
ndx-try-aws-scp (deployed via Terraform to org management)
ndx-try-aws-terraform

3. ISB Operational Cross-Account Roles

Hub-to-Pool Account Access

The ISB core uses two role chains for cross-account operations:

Intermediate Role (General Operations)

Property	Value
Role Name	`InnovationSandbox-ndx-IntermediateRole`
Location	Hub account (568672915267)
Assumed By	ISB Lambda functions (Accounts, Leases, Monitoring, Cleaner)
Purpose	Assume spoke roles in pool accounts

The intermediate role is a jump role -- ISB Lambdas first assume this role, then use it to assume the spoke role in the target pool account:

ISB Lambda -> IntermediateRole (hub) -> SpokeRole (pool account)

Deployer Role (CloudFormation Deployment)

Property	Value
Role Name	`isb-deployer-role-prod`
Location	Hub account (568672915267)
Assumed By	ISB Deployer Lambda
Purpose	Deploy CloudFormation stacks in pool accounts

Pool Account Spoke Roles

Each pool account contains roles that trust the hub account:

Role	Purpose	Trust
`InnovationSandbox-ndx-SpokeRole`	ISB operational access (OU moves, SCP application)	Hub intermediate role
`OrganizationAccountAccessRole`	Full administrative access	Org management account
`AWSControlTowerExecution`	Control Tower provisioning	Control Tower
`stacksets-exec-*`	CloudFormation StackSets execution	Hub account

Hub-to-Org Management Access

Purpose	Mechanism
Cost Explorer queries	ISB Cost Reporting Lambda assumes role in org management (955063685555)
Account registration	ISB Accounts Lambda calls Organizations API via org management role
OU management	ISB Account lifecycle Lambda moves accounts between OUs

4. Billing Separator Roles

The billing separator service has its own role chain for quarantine operations:

Role	Purpose
`isb-billing-sep-scheduler-role-ndx`	EventBridge Scheduler for timed unquarantine
`isb-billing-separator-hub-QuarantineLambdaServiceRole-*`	Lambda that moves accounts to Quarantine OU
`isb-billing-separator-hub-UnquarantineLambdaServiceRole-*`	Lambda that moves accounts back to Available OU
`isb-billing-separator-hub-LogRetentionaae0aa3c5b4d4-*`	CloudWatch log retention management

5. LZA / Control Tower Execution Roles

Landing Zone Accelerator and Control Tower use privileged execution roles across all accounts:

Role	Present In	Purpose
`AWSControlTowerExecution`	All accounts	Control Tower baseline provisioning
`AWSAccelerator-*`	All accounts	LZA stack deployment and management
`cdk-accel-*`	All accounts	CDK bootstrap for LZA

These roles are exempted from all SCPs to ensure infrastructure management continues to function.

6. SCP Exemption Pattern

All ISB and infrastructure SCPs use a common exemption pattern for privileged roles:

{
  "Condition": {
    "ArnNotLike": {
      "aws:PrincipalARN": [
        "arn:aws:iam::*:role/InnovationSandbox-ndx*",
        "arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/*AWSReservedSSO_ndx_IsbAdmins*",
        "arn:aws:iam::*:role/stacksets-exec-*",
        "arn:aws:iam::*:role/AWSControlTowerExecution"
      ]
    }
  }
}

This ensures that ISB control plane operations, ISB admin SSO sessions, StackSets execution, and Control Tower provisioning are never blocked by ISB-managed SCPs.

Cross-Account Access Flow Summary

Security Observations

Repository Scoping: All OIDC roles are scoped to specific co-cddo/* repositories using StringLike conditions, preventing cross-repository impersonation.
Audience Validation: All OIDC roles validate aud: sts.amazonaws.com.
No Long-Lived Credentials: GitHub Actions use short-lived OIDC tokens; ISB uses STS temporary credentials.
Role Naming Inconsistency: Mix of github-actions-* (lowercase) and GitHubActions-* (PascalCase) naming patterns. Consider standardising.
CDK Random Suffixes: Many ISB core roles have CDK-generated random suffixes, making audit harder. The role purpose must be inferred from the prefix pattern.

02-aws-organization.md -- Organization structure and account inventory
03-hub-account-resources.md -- Hub account resources
05-service-control-policies.md -- SCP exemption patterns
00-repo-inventory.md -- Repository inventory

Generated from IAM role analysis and CDK source inspection on 2026-03-02. See 00-repo-inventory.md for full inventory.

Executive Summary​

Trust Architecture Overview​

1. GitHub OIDC Provider​

Trust Policy Pattern​

2. GitHub Actions IAM Roles​

Repository-to-Role Mapping​

Repositories Without OIDC Roles in Hub​

3. ISB Operational Cross-Account Roles​

Hub-to-Pool Account Access​

Intermediate Role (General Operations)​

Deployer Role (CloudFormation Deployment)​

Pool Account Spoke Roles​

Hub-to-Org Management Access​

4. Billing Separator Roles​

5. LZA / Control Tower Execution Roles​

6. SCP Exemption Pattern​

Cross-Account Access Flow Summary​

Security Observations​

Related Documents​