In order to run discovery on multiple accounts in an AWS Organization, each account must have the same cross-account role with the necessary discovery and visibility permissions. This role will be assumed by the host account to perform discovery and visibility tasks. A straightforward way to set up this cross-account role is by creating a YML (YAML) template with those permissions, which you can then deploy into AWS.
To create a YAML template file for the account:
First, create a new YAML template file with a file name extension of .yml
(such as cdv-cross-account-role.yml). The content of the .yml file depends
on the scope of what you want the role to do.
When you're done, you can deploy this template in your AWS system using CloudFormation Designer.
If you will be running ONLY Discovery jobs: Include the
following content in the .yml file:
AWSTemplateFormatVersion: 2010-09-09
Parameters:
CDVHostAccountNumber:
Description: >-
The account where the AWS Trusted Advisor Explorer solution will be
deployed
Type: Number
CrossAccountRoleName:
Description: >-
Your Role Name (ex: OrganizationAccountAccessRole); This will needto be
the same across all of the Member Accounts
Type: String
AWSArn:
Description: Role ARN, User ARN which is used to run CDV or input * if you want to trust everything from the CDVHostAccountNumber
Type: String
Resources:
CrossAccountRoleForAWSTrustedAdvisorEx:
Type: 'AWS::IAM::Role'
Metadata:
cfn_nag:
rules_to_suppress:
- id: W28
reason: The role name needs to be same in all of the member accounts.
Properties:
RoleName:
Ref: CrossAccountRoleName
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
AWS:
- !Sub 'arn:${AWS::Partition}:iam::${CDVHostAccountNumber}:root'
Action:
- 'sts:AssumeRole'
Condition:
StringLike:
'aws:PrincipalArn':
- !Sub '${AWSArn}'
Policies:
- PolicyName: CDVPolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: 1
Action:
- 'eks:ListClusters'
- 'eks:ListNodegroups'
- 'eks:DescribeCluster'
- 'eks:DescribeNodegroup'
Effect: Allow
Resource: '*'
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/AmazonVPCReadOnlyAccess'
- 'arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess'
- 'arn:aws:iam::aws:policy/ElasticLoadBalancingReadOnly'
- 'arn:aws:iam::aws:policy/AmazonRoute53ReadOnlyAccess'
- 'arn:aws:iam::aws:policy/IAMReadOnlyAccess'If you will be running both Discovery and Visibility and you
want the cross-account role to have write permissions: Include the following content
in the .yml file:
AWSTemplateFormatVersion: 2010-09-09
Parameters:
CDVHostAccountNumber:
Description: The account where the AWS Trusted Advisor Explorer solution will be deployed
Type: Number
CrossAccountRoleName:
Description: >-
Your Role Name (ex: OrganizationAccountAccessRole).
This must be the same across all Member Accounts
Type: String
AWSArn:
Description: The Role ARN. The User ARN which is used to run CDV.
Use * if you want to trust everything from the CDVHostAccountNumber.
Type: String
Resources:
CrossAccountRoleForAWSTrustedAdvisorEx:
Type: 'AWS::IAM::Role'
Metadata:
cfn_nag:
rules_to_suppress:
- id: W28
reason: The role name needs to be same in all of the member accounts.
Properties:
RoleName:
Ref: CrossAccountRoleName
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
AWS:
- !Sub 'arn:${AWS::Partition}:iam::${CDVHostAccountNumber}:root'
Action:
- 'sts:AssumeRole'
Condition:
StringLike:
'aws:PrincipalArn':
- !Sub '${AWSArn}'
Policies:
- PolicyName: CDVPolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: 1
Action:
- 'sqs:DeleteMessage'
- 'sqs:TagQueue'
- 'sqs:PurgeQueue'
- 'sqs:DeleteQueue'
- 'sqs:CreateQueue'
- 'sqs:GetQueueAttributes'
- 'sqs:ReceiveMessage'
- 'sqs:SetQueueAttributes'
- 'sqs:GetQueueUrl'
- 'sns:DeleteTopic'
- 'sns:ListTopics'
- 'sns:Unsubscribe'
- 'sns:SetTopicAttributes'
- 'sns:Subscribe'
- 'sns:ListSubscriptionsByTopic'
- 'sns:GetTopicAttributes'
- 'sns:CreateTopic'
- 'sns:GetSubscriptionAttributes'
- 'events:TagResource'
- 'events:PutTargets'
- 'events:DeleteRule'
- 'events:DescribeRule'
- 'events:PutRule'
- 'events:ListRules'
- 'events:RemoveTargets'
- 'events:ListTargetsByRule'
- 'eks:ListClusters'
- 'eks:ListNodegroups'
- 'eks:DescribeCluster'
- 'eks:DescribeNodegroup'
Effect: Allow
Resource: '*'
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/AmazonVPCReadOnlyAccess'
- 'arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess'
- 'arn:aws:iam::aws:policy/ElasticLoadBalancingReadOnly'
- 'arn:aws:iam::aws:policy/AmazonRoute53ReadOnlyAccess'
- 'arn:aws:iam::aws:policy/IAMReadOnlyAccess'If you will be running both Discovery and Visibility and you do
NOT want the cross-account role to have write permissions (for example, if you intend to
set up the queues manually): Include the following content in the
.yml file:
AWSTemplateFormatVersion: 2010-09-09
Parameters:
CDVHostAccountNumber:
Description: >-
The account where the AWS Trusted Advisor Explorer solution will be
deployed
Type: Number
CrossAccountRoleName:
Description: >-
Your Role Name (ex: OrganizationAccountAccessRole); This will needto be
the same across all of the Member Accounts
Type: String
AWSArn:
Description: Role ARN, User ARN which is used to run CDV or input * if you want to trust everything from the CDVHostAccountNumber
Type: String
Resources:
CrossAccountRoleForAWSTrustedAdvisorEx:
Type: 'AWS::IAM::Role'
Metadata:
cfn_nag:
rules_to_suppress:
- id: W28
reason: The role name needs to be same in all of the member accounts.
Properties:
RoleName:
Ref: CrossAccountRoleName
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
AWS:
- !Sub 'arn:${AWS::Partition}:iam::${CDVHostAccountNumber}:root'
Action:
- 'sts:AssumeRole'
Condition:
StringLike:
'aws:PrincipalArn':
- !Sub '${AWSArn}'
Policies:
- PolicyName: CDVPolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: 1
Action:
- 'sqs:DeleteMessage'
- 'sqs:PurgeQueue'
- 'sqs:GetQueueAttributes'
- 'sqs:ReceiveMessage'
- 'sqs:GetQueueUrl'
- 'sns:ListTopics'
- 'sns:ListSubscriptionsByTopic'
- 'sns:GetTopicAttributes'
- 'sns:GetSubscriptionAttributes'
- 'events:DescribeRule'
- 'events:ListRules'
- 'events:ListTargetsByRule'
- 'eks:ListClusters'
- 'eks:ListNodegroups'
- 'eks:DescribeCluster'
- 'eks:DescribeNodegroup'
Effect: Allow
Resource: '*'
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/AmazonVPCReadOnlyAccess'
- 'arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess'
- 'arn:aws:iam::aws:policy/ElasticLoadBalancingReadOnly'
- 'arn:aws:iam::aws:policy/AmazonRoute53ReadOnlyAccess'
- 'arn:aws:iam::aws:policy/IAMReadOnlyAccess'