In order to run discovery jobs on multiple accounts in an AWS Organization, Cloud Discovery & Visibility (CDV) needs an AWS account with a role that has appropriate permissions to access those accounts. This includes the AssumeRole permission, which lets an AWS account temporarily switch roles.
To create this account:
First, create a new YAML template file with a file name extension of
.yml
(such as cdv-assume-role.yml
) with the
following content:
AWSTemplateFormatVersion: 2010-09-09
Parameters:
CDVHostAccountNumber:
Description: The account where the AWS Trusted Advisor Explorer solution will be deployed
Type: Number
CrossAccountRoleName:
Description: Your Role Name (ex: OrganizationAccountAccessRole).
This must be the same across all Member Accounts
Type: String
AWSArn:
Description: The Role ARN. The User ARN which is used to run CDV.
Use * if you want to trust everything from the CDVHostAccountNumber.
Type: String
Resources:
CrossAccountRoleForAWSTrustedAdvisorEx:
Type: 'AWS::IAM::Role'
Metadata:
cfn_nag:
rules_to_suppress:
- id: W28
reason: The role name needs to be same in all of the member accounts.
Properties:
RoleName:
Ref: CrossAccountRoleName
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
AWS:
- !Sub 'arn:${AWS::Partition}:iam::${CDVHostAccountNumber}:root'
Action:
- 'sts:AssumeRole'
Condition:
StringLike:
'aws:PrincipalArn':
- !Sub '${AWSArn}'
Policies:
- PolicyName: CDVPolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: 1
Action:
- 'sqs:DeleteMessage'
- 'sqs:TagQueue'
- 'sqs:PurgeQueue'
- 'sqs:DeleteQueue'
- 'sqs:CreateQueue'
- 'sqs:GetQueueAttributes'
- 'sqs:ReceiveMessage'
- 'sqs:SetQueueAttributes'
- 'sqs:GetQueueUrl'
- 'sns:DeleteTopic'
- 'sns:ListTopics'
- 'sns:Unsubscribe'
- 'sns:SetTopicAttributes'
- 'sns:Subscribe'
- 'sns:ListSubscriptionsByTopic'
- 'sns:GetTopicAttributes'
- 'sns:CreateTopic'
- 'sns:GetSubscriptionAttributes'
- 'events:TagResource'
- 'events:PutTargets'
- 'events:DeleteRule'
- 'events:DescribeRule'
- 'events:PutRule'
- 'events:ListRules'
- 'events:RemoveTargets'
- 'events:ListTargetsByRule'
- 'eks:ListClusters'
- 'eks:ListNodegroups'
- 'eks:DescribeCluster'
- 'eks:DescribeNodegroup'
Effect: Allow
Resource: '*'
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/AmazonVPCReadOnlyAccess'
- 'arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess'
- 'arn:aws:iam::aws:policy/ElasticLoadBalancingReadOnly'
- 'arn:aws:iam::aws:policy/AmazonRoute53ReadOnlyAccess'
- 'arn:aws:iam::aws:policy/IAMReadOnlyAccess'
When you're done, you can deploy this template in your AWS system using CloudFormation Designer.