Create a Cross-Account Access Role and Attach AWS Read-Only Policy

Introduction

This procedure will show you how to create a cross-account access role in AWS and attach the AWS read-only policy to the role.


Procedure

  1. Login to the AWS Management Console.

  2. The AWS services page opens.

  3. Scroll down to the Security, Identity & Compliance section and select IAM.



  4. The Welcome to Identity and Access Management screen displays.


  5. From the dashboard, click Roles.
  6. The Roles page opens.

  7. From the middle of the page, click Create role.
  8. The Create role page opens.

  9. In the Select type of trusted entity section, click Another AWS account.
  10. The screen prompts you to add an Account ID and other options.

  11. Copy the account ID from your CloudCheckr account.

  12. How Do I Retrieve My Account ID from CloudCheckr?

    1. Launch CloudCheckr.
    2. Select your account from the Accounts List page.
    3. From the left navigation pane, select Account Settings > AWS Credentials.
    4. Click Toggle Manual vs CloudFormation to create a cross-account role manually.
    5. From the Enter these values text field in step 7, copy the account ID.

  13. Return to the Create role page in AWS and paste the CloudCheckr account ID into the Account ID text field.
  14. In the Options section, select Require external ID (Best practice when a third party will assume this role).
  15. Information about the security of your role displays.

  16. Copy the external ID from your CloudCheckr account.

    How Do I Retrieve My External ID from CloudCheckr?

    1. Return to your selected account in CloudCheckr.
    2. From the left navigation pane, select Account Settings > AWS Credentials.
    3. Click Toggle Manual vs CloudFormation to create a cross-account role manually.
    4. From the Enter these values text field in step 7, copy the external ID.

  17. Return to the Create role page in AWS and paste the external ID into the External ID text field.
  18. Verify that the Require MFA radio button is not selected.
  19. Click Next: Permissions.
  20. A list of policies displays.

  21. In the Search text field, type ReadOnlyAccess to filter the list of policies.


  22. Select the checkbox next to ReadOnlyAccess policy and click Next: Review.

  23. Note: There are many policies with ReadOnlyAccess as part of the policy name. Be sure to select the policy that only contains those words.

    The Review page opens.

  24. Type a name for the role, and click Create role.
  25. Note:  We recommend choosing a name that will be easy for you to recognize.

    AWS returns you to the Roles page and adds the new role to the list. A message indicates that the role has been created.

  26. Go to the Create and Attach a Secondary Policy to continue to prepare your AWS account for CloudCheckr access.

See Also:

Preparing Your AWS Account