Is it possible to access aws resources from different region across accounts using aws assume-role

Question

This is my scenario.

Account1 contains data for Finance, HR data in Frankfurt region.
Account2 contains data for Finance, HR data in Northern Virginia region.

User1 from Account3 wants to access Finance data from Account1 & Account2. Is this possible?

Answer 1

Yes, it's definitely possible. IAM is a global service, it's not region specific and you would configure something like this using IAM roles and cross account access.

The best practice recommendation from AWS regarding IAM accounts management is as follows:

1. Have an account where you create all your IAM users and groups (+ configure consolidated billing) and nothing more - I will call this ManagementAccount

2. Create Account1 & Account2 and create cross-account access roles within them, you configure each role's policy to grant access to specific resources within account (in specific regions if you wish). For example in Account1 you set up a role called Frankfurt-Auditor with policy that grants read access to S3 bucket called company-frankfurt-finance (this bucket is owned by Account1). You also create a role called NorthernVirginia-Auditor in Account2, this one grants access to a bucket called company-northernvirginia-finance (bucket owned by Account2). These roles will also establish trust between ManagementAccount and Account1 or Account2

3. Allow certain users (or groups) in ManagementAccount to assume Frankfurt-Auditor & NorthernVirginia-Auditor roles in Account1 & Account2.

There's a nice, detailed tutorial that will hopefully help you set this up: Tutorial: Delegate Access Across AWS Accounts Using IAM Roles