Create and Attach a Secondary Policy

Introduction

Once you have created a cross-account role and attached the AWS read-only policy, you need to create and attach a secondary policy to manage the resources that are not protected by the AWS Read-Only policy.


Procedure

  1. From the dashboard, click Policies.



  2. How Do I Access the IAM Dashboard?

    1. Login to the AWS Management Console.
    2. The AWS services page opens.

    3. Scroll down to the Security, Identity & Compliance section and select IAM.
    4. The Welcome to Identity and Access Management screen displays.


    A list of policies displays.

  3. Click Create policy.
  4. The Create Policy page opens.

  5. Click JSON.
  6. The JSON tab opens, allowing you to create the policy using JSON syntax.

  7. Copy the secondary policy.

  8. Secondary Policy

    Updated 2017-09-13

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "AdditionalPermissions",
                "Effect": "Allow",
                "Action": [
                    "cloudformation:GetStackPolicy",
                    "cloudhsm:Describe*",
                    "cloudhsm:List*",
                    "glacier:List*",
                    "glacier:DescribeVault",
                    "glacier:GetVaultNotifications",
                    "glacier:DescribeJob",
                    "glacier:GetJobOutput",
                    "sdb:DomainMetadata",
                    "support:*",
                    "workspaces:DescribeWorkspaceDirectories",
                    "workspaces:DescribeWorkspaceBundles",
                    "workspaces:DescribeWorkspaces"
                ],
                "Resource": "*"
            },
            {
                "Sid": "CloudWatchLogsSpecific",
                "Effect": "Allow",
                "Action": [
                    "logs:GetLogEvents",
                    "logs:DescribeLogGroups",
                    "logs:DescribeLogStreams"
                ],
                "Resource": [
                    "arn:aws:logs:*:*:*"
                ]
            }
        ]
    }
    

    Note: You can also download and copy the secondary policy from here.

  9. Replace the text in the JSON tab with the policy you just copied and click Review policy.
  10. The Review policy page opens.

  11. Type a name for the policy and click Create policy.
  12. A message at the top of the policy page indicates that your policy has been created.

  13. In the Search text field, type the name of your secondary policy to filter the list of policies.
  14. Select the checkbox next to the secondary policy.
  15. From the Policy actions drop-down menu, select Attach.
  16. The secondary policy, in addition to the AWS Read-Only policy, are now attached to the cross-account access role.

  17. Go to the Copy an AWS Role ARN to Your CloudCheckr Account topic to continue to prepare your AWS account for CloudCheckr access.

See Also:
Preparing Your AWS Account