Status: IN
To prevent IAM users or groups with broad permissions (e.g., PowerUser) from assuming a cross-account role, an explicit Deny policy on `sts:AssumeRole` is required.
Source: entries/2026/03/08/iam-cross-account.md
JSON