Cross-account access IAM role
To allow CDP to create resources in your AWS account, you create a cross-account access IAM role in your AWS account and grant CDP access to the role as a trusted principal by specifying a specific AWS account and an external ID.
The policy for the cross-account access IAM role must have the following permissions. In addition, the IAM role must reference the specific AWS account ID and external ID provided in the Management Console. For information on how to obtain the AWS account ID and external ID from the CDP web interface and create a cross-account role, refer to Create a cross-account IAM Role.