As a company scales out the number of AWS accounts used for different workloads, they may require IAM roles which are able to be assumed by any other account within the organization to perform some action, if you are trusting accounts by adding each account principal to the trust policy you may soon find your self hitting the 2048 character limit.
When making use of conditional filters and the inherent trust that comes from being within an organization, you can dramatically reduce the size and complexity of policies.
From listing all explicit account IDs
OrgWideRole: Type: AWS::IAM::Role Properties: RoleName: OrgWideRole AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: AWS: - '012345678901' - '123456789012' - '234567890123' - '345678901234' - '456789012345' - '567890123456' - '*150 or so more account IDs*' Action: sts:AssumeRole
To trusting the organization ID
OrgWideRole: Type: AWS::IAM::Role Properties: RoleName: OrgWideRole AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: AWS: - '*' Action: sts:AssumeRole Condition: StringEquals: aws:PrincipalOrgID : o-12345abcd
You can change the behavior to limit to accounts associated with a specific OU by using conditional key
Condition: ForAnyValue:StringEquals: aws:PrincipalOrgPaths: - o-12345abcd/r-eg123/ou-example123/
Further extension of this is possible by using
StringLike operator to trust all children of the OU
Condition: ForAnyValue:StringLike: aws:PrincipalOrgPaths: - o-12345abcd/r-eg123/ou-example123*
There are more permutations of this possible to fit your needs, though implementing trust via organization membership or OU membership has significantly reduced our trust policy sizes while increasing scalability of the platform.