I'm new to AWS. Have some experience in Azure, but the organization/user account/permissions part is completely different to the tenant/managementgroup/subscription/azure AD way of thinking.
In a multi-account (e.g. accounts A,B & C) organization, what's the most efficient way to give users of account A read-only insight into accounts B and C? Creating a role for every account and adding the assume role policy for every user? Is there a way to give these users these rights on the top level to make sure that they also have read-only access if an account D and E are added in the future?
You'll want to look into IAM Roles and cross-account access. I know of 2 main way of doing so:
You can use AWS IAM Identity Center to setup read-only access for account A, B and C. For example, you could create users or group with with ReadOnlyAccess
and configure these users to access all your accounts.
You'd still have to configure your AWS accounts to integrate them within IAM Identity Center and allow your users access to these accounts, but most of the heavy-load of handling IAM Role cross-account access will be done by IAM Identity Center.
Another way would be to configure cross-account access using IAM Roles. in short you'd have to:
ReadOnlyAccess
policy of equivalent.Notes: