How to setup cross account access in AWS for variety of use-cases such as audit, security and compliance at scale.
In this blog we will walk through how to create a role an external account that we want to AssumeRole into. In our example we will provide the new role in the external account with broad ReadOnly permissions (but you are free to change to whatever you want).
If you are familiar AWS IAM feel free to skip this section. But here is a quick recap: AWS IAM is the underlying service that AWS services rely on for authorization. While there are many ways of getting valid AWS credentials (setting up AWS SSO) this blog is going to focus on how you can use those credentials once you have them. Before we dive in a few high level concepts that we need to clarify:
This means that a single policy cannot grant User in Account A access to a resource in Account B. A common scenario is for one user or role to access resources in Account B for use cases such as auditing and monitoring. In order for a user in Account A to access a resource in a different Account they must get access to credentials that are from Account B. The most common and secure way to enable User A in Account A to access resource B in Account B is done via cross account role assumption. This means that Account B defines a role, Role-B, that has a Trust Policy that says that entities from Account A are allowed to assume it, this effectively means that entities from Account A are able to get credentials that have the access of Role-B. So once that is in place User-A is able to assume Role-B and use the new credentials to interact with Resource-B.
In this tutorial we will show you how to do in the console (ClickOps) but feel free to automate it via your favorite IaC.
Go to iam→roles
and click Create Role
For Trusted Entity, Choose AWS account, click Another AWS account and fill-in the account id you want to access from and click next
Attach the Permission policy you want this role to have. In our case we will attach ReadOnlyAccess
- mark the checkbox and click next.
Last screen should look like the following and you should name the role the same name in all accounts you want to AssumeRole into. In this case we marked it as CrossAccountReadOnlyRole
Repeat 1-4 for each account you want to access from.
Login into your account where you want to assume role from and go to iam→policies and click Create Policy. Paste the following policy in the JSON
tab
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::*:role/CrossAccountReadOnlyRole"
}
]
}
So it should look something like the following:
Click Next, give it tags and then pick a name. We will use CloudQueryCrossAccountReadOnlyAccess
Now you can go to user or role that you use in your main account and attach the policy:
That’s it! You are done now you can use assume role via this role.
Subscribe for monthly updates
Open-source, product updates, blog-posts, news and more