Creating A Role For Cross-Account Access

We strongly recommend you use Roles for Cross-Account Access instead of IAM Access Keys. IAM Access Keys require periodic rotation and can be shared or stolen. Roles for Cross-Account Access are a more secure way of granting programmatic access to your AWS accounts. Only use IAM Access Keys if you absolutely must.

Follow these steps to allow CloudCheckr to access your account using an IAM Role.

Notes:

 

Step 1:

Login to your AWS Management Console and access the IAM Roles section by selecting IAM from the services list. Then click Roles.

select iam roles

 

 

Step 2:

Click the button Create New Role.

create new role

 

Step 3:

Enter CloudCheckrRole as the role name and click Next Step.

Note: You can choose a different name for the role. We recommend using one you will recognize.

enter role name

 

 

Step 4:

Select the option Role for Cross-Account Access and select the option Allows IAM users from a 3rd party AWS account to access this account.

role for cross account access

 

 

Step 5: 

AWS will ask for Account ID and External ID — enter the values found in your CloudCheckr account, at the bottom of the report navigation, under the section Account Settings > AWS Credentials > Tab: Use a Role for Cross-Account Access. When finished, select Update.

role-for-c-a-a-part-1

enter account id and stuff

 

 

Step 6:

Select the policy called ReadOnlyAccess. Click Next Step, then click Create Role.

33

 

 

Step 7:

Create a new secondary policy to cover the items that CloudCheckr reports on that are not covered by the Amazon default Read-Only policy. First, click the Policies link on the left side of the console.


iam policies

 

 

Step 8:

Click the Create Policy button.

create policy

 

 

Step 9:

Choose Create Your Own Policy.

create your own policy

 

 

Step 10:

Add a name of your Policy. We recommend you name your policy “CloudCheckr” so you know its purpose, but you can use any name.

 

 

Step 11:

Add the CloudCheckr policy into the Policy Document.

You can download the secondary IAM policy here, or copy below.
Updated 2015-12-28

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AdditionalPermissions",
            "Effect": "Allow",
            "Action": [
                "cloudformation:GetStackPolicy",
                "cloudhsm:Describe*",
                "cloudhsm:List*",
                "glacier:List*",
                "glacier:DescribeVault",
                "glacier:GetVaultNotifications",
                "glacier:DescribeJob",
                "glacier:GetJobOutput",
                "sdb:DomainMetadata",
                "support:*",
                "workspaces:DescribeWorkspaceDirectories",
                "workspaces:DescribeWorkspaceBundles",
                "workspaces:DescribeWorkspaces"
            ],
            "Resource": "*"
        },
        {
            "Sid": "CloudWatchLogsSpecific",
            "Effect": "Allow",
            "Action": [
                "logs:GetLogEvents",
                "logs:DescribeLogGroups",
                "logs:DescribeLogStreams"
            ],
            "Resource": [
                "arn:aws:logs:*:*:*"
            ]
        }
    ]
}

IMPORTANT: When creating the secondary policy you will need to change the CloudWatchLogsSpecific Resource ARN based on the AWS environment you’re working within. Standard AWS Accounts will use “arn:aws:logs:*:*:*”. GovCloud will use “arn:aws-us-gov:logs:*:*:*”, and China Region accounts will use “arn:aws-cn:logs:*:*:*”.

 

Note:

Another option for your CloudCheckr policy is to use our complete read-only access policy or a subset of it. By doing this, you can have discrete control over every permission in your policy. For more information, you can click on the following links:

 

 

Step 12:

Select Validate Policy and then Click the Create Policy button.


validate and create policy

 

 

Step 13:

Attach the newly-created secondary policy to your role.

Go to Roles, select your Role, and click Attach Policy.

attach-role

 

Within the Attach Policy screen you can select your new secondary policy as created in Step 12.

attach-policy

 

 

Step 14:

Go to the Roles section and select your updated role. Copy the Role ARN that will have the format arn:aws:iam::YourAccountIDHere:role/CloudCheckrRole.

 

 

Step 15:

Return to CloudCheckr and navigate to the Edit AWS Credentials page. This is located at Account Settings > AWS Credentials.  By default, you will be on a tab called Use a Role for Cross-Account Access. Paste the copied Role ARN in the textbox AWS Role Arn. Click Update.

cross-account-role-config-markup

 

 

Step 16:

You can access specific permissions to allow CloudCheckr’s Automation features to work here: http://support.cloudcheckr.com/automation/

These permissions can be added as another policy to your role via the instructions starting on Step 7.