In order to run discovery on multiple accounts in an AWS Organization, each account must have the same cross-account role with the necessary discovery and visibility permissions. This role will be assumed by the host account to perform discovery and visibility tasks. After creating a YAML template for the role (see Creating a YML template for a cross-account role for AWS Organization-level discovery), you can deploy it using AWS CloudFormation to create the role in each account.
If you haven't already done so, open CloudFormation.
Click StackSets, then click Create StackSet.
In Permissions, select Service-managed permissions.
In Prerequisite - Prepare template, select Template is ready.
In Specify template, select Upload a sample template. Then, click Choose file and browse to and upload the
.ymlfile you just created.In the Specify StackSet Details page, configure the StackSet options as follows.
For AWSArn, enter the Amazon Resource Name (ARN) that is to be allowed to run CDV. This can be for a user (where the user's credentials are used for discovery and visibility), a role (attached to an EC2 instance, using the instance's credentials for discovery and visibility), all users, or all roles from the CDV Host account.
To specify a user, enter a User ARN with one of the following User ARNs as appropriate:
A specific user from the CDV Host account:
arn:aws:iam::<CDVHostAccountNumber>:user/<user-name>A specific user name from any account:
arn:aws:iam::*:user/<user-name>All users from the CDV host account:
arn:aws:iam::<CDVHostAccountNumber>:user/*
To specify a role, enter a Role ARN with one of the following Role ARNs as appropriate:
A specific role from the CDV Host account:
arn:aws:iam::<CDVHostAccountNumber>:role/<role-name>A specific role from the any account:
arn:aws:iam::*:role/<role-name>All roles from the CDV host account:
arn:aws:iam::<CDVHostAccountNumber>:role/*
To simply allow all users and roles from the CDVHostAccountNumber account, use an asterisk:
*In CDVHostAccountNumber, enter the AWS ID number of the account where CDV is deployed and hosted.
In CrossAccountRoleName, enter a name for the cross-account role (such as
cross-account-role).
In the Configure StackSet options page, configure the following:
For Managed execution, click Inactive.
In the Set deployment options page, configure the following:
In Deployment targets, you can either select Deploy to organization or Deploy to organizational units (OUs). If you select Deploy to organizational units (OUs), you must specify the OU IDs.
-
In Auto-deployment options, configure the following:
-
In Automatic deployment, select Activated.
-
In Account removal behavior, select Delete stacks.
-
-
In Specify regions, add the regions in which you want to deploy stacks.
When asked to review your settings, check that you've entered everything correctly. Then, under Capabilities, select the acknowledge checkbox and click Submit.
When you're done, you must then attach the AssumeRole permission to a user or role that will run Discovery.
Note: If you are running CDV on an EC2 instance, you must assign the AssumeRole permission to a role.To assign the AssumeRole permission to a user or role, use the following JSON code:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor4", "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::*:role/<CrossAccountRoleName>" } ] }If you will run Discovery from a member account by assuming a role created in the management or delegated administrator account (with the necessary organization-level permissions), you must attach the following permission to the user or role in the member account that will perform Discovery:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Statement1", "Effect": "Allow", "Action": [ "sts:AssumeRole" ], "Resource": "arn:aws:iam::<Management or Delegated Administrator Account Number>:role/<RoleToBeAssumed>" } ] }
When you're done, you can set up credentials in CDV for running Organization-level discoveries.