{"id":"iam-cross-account-explicit-deny-needed-for-broad-permissions","text":"To prevent IAM users or groups with broad permissions (e.g., PowerUser) from assuming a cross-account role, an explicit Deny policy on `sts:AssumeRole` is required.","truth_value":"IN","source":"entries/2026/03/08/iam-cross-account.md","source_url":"","source_hash":"e48a1ca4eb9cc426","justifications":[],"dependents":[],"metadata":{},"explanation":{"steps":[{"node":"iam-cross-account-explicit-deny-needed-for-broad-permissions","truth_value":"IN","reason":"premise"}]}}