Creating a YML template for an cross-account role for AWS Organization-level discovery jobs - Adaptive Applications - BlueCat Gateway - 23.3.2

Cloud Discovery & Visibility Administration Guide

Locale
English
Product name
BlueCat Gateway
Version
23.3.2

In order to run discovery jobs on multiple accounts in an AWS Organization, Cloud Discovery & Visibility (CDV) needs an AWS account with a role that has appropriate permissions to access those accounts. This includes the AssumeRole permission, which lets an AWS account temporarily switch roles.

To create this account:

First, create a new YAML template file with a file name extension of .yml (such as cdv-assume-role.yml) with the following content:

AWSTemplateFormatVersion: 2010-09-09
Parameters:
  CDVHostAccountNumber:
    Description: The account where the AWS Trusted Advisor Explorer solution will be deployed
    Type: Number
  CrossAccountRoleName:
    Description: Your Role Name (ex: OrganizationAccountAccessRole).
      This must be the same across all Member Accounts
    Type: String
  AWSArn:
    Description: The Role ARN. The User ARN which is used to run CDV.
       Use * if you want to trust everything from the CDVHostAccountNumber.
    Type: String
Resources:
  CrossAccountRoleForAWSTrustedAdvisorEx:
    Type: 'AWS::IAM::Role'
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W28
            reason: The role name needs to be same in all of the member accounts.
    Properties:
      RoleName:
        Ref: CrossAccountRoleName
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              AWS:
                - !Sub 'arn:${AWS::Partition}:iam::${CDVHostAccountNumber}:root'
            Action:
              - 'sts:AssumeRole'
            Condition:
              StringLike:
                'aws:PrincipalArn':
                  - !Sub '${AWSArn}'
      Policies:
        - PolicyName: CDVPolicy
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Sid: 1
                Action:
                  - 'sqs:DeleteMessage'
                  - 'sqs:TagQueue'
                  - 'sqs:PurgeQueue'
                  - 'sqs:DeleteQueue'
                  - 'sqs:CreateQueue'
                  - 'sqs:GetQueueAttributes'
                  - 'sqs:ReceiveMessage'
                  - 'sqs:SetQueueAttributes'
                  - 'sqs:GetQueueUrl'
                  - 'sns:DeleteTopic'
                  - 'sns:ListTopics'
                  - 'sns:Unsubscribe'
                  - 'sns:SetTopicAttributes'
                  - 'sns:Subscribe'
                  - 'sns:ListSubscriptionsByTopic'
                  - 'sns:GetTopicAttributes'
                  - 'sns:CreateTopic'
                  - 'sns:GetSubscriptionAttributes'
                  - 'events:TagResource'
                  - 'events:PutTargets'
                  - 'events:DeleteRule'
                  - 'events:DescribeRule'
                  - 'events:PutRule'
                  - 'events:ListRules'
                  - 'events:RemoveTargets'
                  - 'events:ListTargetsByRule'
                  - 'eks:ListClusters'
                  - 'eks:ListNodegroups'
                  - 'eks:DescribeCluster'
                  - 'eks:DescribeNodegroup'
                Effect: Allow
                Resource: '*'
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/AmazonVPCReadOnlyAccess'
        - 'arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess'
        - 'arn:aws:iam::aws:policy/ElasticLoadBalancingReadOnly'
        - 'arn:aws:iam::aws:policy/AmazonRoute53ReadOnlyAccess'
        - 'arn:aws:iam::aws:policy/IAMReadOnlyAccess'

When you're done, you can deploy this template in your AWS system using CloudFormation Designer.