Delegation is the granting of permission to someone to allow access to access to resources that you control
Delegation involves setting up a trust between the account that owns the resource (the trusting account) and the account that contains the users that need to access the Resource (the trusted Account)
The trusted and trusting accounts can be any of the following
The same account
Two accounts that are both under your organization's control.
Two accounts are owned by different organizations.
To delegate permission to access a resource, you create an IAM role that has 2 policies attached.
Trust Policy
Permission Policy
Note:- Both are in JSON format.
The trusted entity is included in the policy as the principal element in the document
When you create a trust policy, you can not specify the wildcard(*) as a principal.
Cross-Account Permissions
You might need to allow users from another AWS account to access resources in your AWS account. If so, don't share security credentials, such as access keys between accounts. Instead use IAM Roles.
You can define a role in the trusting account, that specifies what permissions the IAM users in the other account are allowed.
You can also designate which AWS account has the IAM users that are allowed to assume the role. We do not define users here, but rather AWS accounts.
A role for Cross-Account Access
Granting access to resources in one account to a trusted principal in a different account.
Roles are the primary way to grant cross-account access.
However, with some of the web services offered by AWS, you can attach a policy directly to a resource. These are called Resource-based policies. You can use them to grant principals in another AWS account access to the Resource.
The Following Services support Resource-based policy:-
Amazon S3
Amazon Simple Notification Service
Amazon Simple Queue Service
Amazon Glacier Vault