In order to run discovery jobs on multiple accounts in an AWS Organization, Cloud Discovery & Visibility (CDV) needs an AWS account with a role that has appropriate permissions to access those accounts. After creating a YML template for the new role (see Creating a YML template for an cross-account role for AWS Organization-level discovery jobs), you can import it into CloudFormation Designer and add the AssumeRole permission to the user or role that CDV can use for cross-account discoveries.
If you haven't already done so, open and log in to CloudFormation Designer.
Click StackSets, then click Create StackSet.
In Permissions, select Service-managed permissions.
In Prerequisite - Prepare template, select Template is ready.
In Specify template, select Upload a sample template. Then, click Choose file and browse to and upload the
.yml
file you just created.CloudFormation Designer will display the additional parameters defined in that
.yml
file.In the Specify StackSet Details page, configure the StackSet options as follows (where
CDVHostAccountNumber
is the AWS ID number of the account where CDV is deployed).For AWSArn, enter the Amazon Resource Name (ARN) that is to be allowed to run CDV. This can be for a user, a role, or all users from the CDV Host.
To specify a user, enter a User ARN with one of the following User ARNs as appropriate:
A specific user from the CDV Host account:
arn:aws:iam::<CDVHostAccountNumber>:user/<user-name>
A specific user name from any account:
arn:aws:iam::*:user/<user-name>
All users from the CDV host account:
arn:aws:iam::<CDVHostAccountNumber>:user/*
To specify a role, enter a Role ARN with one of the following Role ARNs as appropriate:
A specific role from the CDV Host account:
arn:aws:iam::<CDVHostAccountNumber>:role/<role-name>
A specific role from the any account:
arn:aws:iam::*:role/<role-name>
All roles from the CDV host account:
arn:aws:iam::<CDVHostAccountNumber>:role/*
To simply allow all users and roles from the CDVHostAccountNumber account, use an asterisk:
*
In CDVHostAccountNumber, enter the AWS ID number of the account where CDV is deployed and hosted.
In CrossAccountRoleName, enter a name for the CDV role (such as
cdvrole
).
In the Configure StackSet options page, configure the following:
For Managed execution, click Inactive.
In the Set deployment options page, configure the following:
In Auto-deployment options, select Activated.
In Account removal behavior, select Delete stacks.
In Specify regions, add the regions that you want to discover.
When asked to review your settings, check that you've entered everything correctly. Then, under Capabilities, select the acknowledge checkbox and click Submit.
When you're done, you must then attach the AssumeRole permission to a user or role that will run Discovery.
Note: If you are running CDV on an EC2 instance, you must assign the AssumeRole permission to a role.To assign the AssumeRole permission to a user, use the following JSON code:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor4", "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::*:role/<CrossAccountRoleName>" } ] }
To assign permissions necessary for CDV to access information necessary to run discovery from an Organization level, use the following JSON code:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DelegatingNecessaryDescribeListActions", "Effect": "Allow", "Action": [ "organizations:ListAccountsForParent", "organizations:ListRoots", "organizations:ListAccounts", "organizations:ListTagsForResource", "account:ListRegions", "organizations:ListOrganizationalUnitsForParent", "organizations:ListChildren" ], "Resource": "*" } ] }
When you're done, you can set up credentials in CDV for running Organization-level discoveries.