Looking for some input on how to setup permissions to aws resources for a tool that requires access to multiple different aws accounts. In lack of a better example: Lets say we have a use case where you need to dump data from a database in one environment to a database in another environment, environment in this case = separate AWS account. The tool will run in one environment and might access many other environments (eg if this tool is used by multiple teams for their environments). Users of the tool use AWS SSO which means I can use groups to define permissions Ignore any issues related to sensitive data in production atm. The tool will be hosted somewhere, exposing an API, the API can be consumed by anything, a cli, ui etc My thoughts so far, using the db dump example: 1. For the users of the tool I can define permissions on what they are allowed to do, we use aws identity center for access, so one option could be to define access based on groups. 2. The tool itself needs AWS permissions for all databases it’s going to operate on. But if I continue this way, this tool will end up having full access to many services in all environments. I have a vague thought where the tool itself does not need to have full permissions, but it has permissions to call another tool / service that is setup with specific aws permissions. That way I could build tools / services per use case, eg for the db dump example, if we for each team have a service that has access to the dbs in that teams environments. I’m unable to wrap my head around the security implications and it feels “wrong” to setup a tool with access to so many different environments.