[whoknew1122]

I just glanced over the source, but I think the answer is no in both cases.

> "which users have access to resource X, including implicitly through one or more assume-role jumps, across these N accounts, including stuff like iam:PassRole, even including tag-based policies?"

This would be difficult to pull off because you'd need to make separate calls to each of your accounts to determine this sort of thing. And if you're looking at assuming roles through mulitple accounts, you have to consider whether external Ids are defined.

And if external Ids are defined, how do you handle that? Do you assume the caller has the external Id?

> "who had access to X between Jun and Aug 2020?"

This one would be easier, but would require integration with AWS Config.