Creating AWS Credentials Using a A Role for Cross-Account Access

Note: Cloudcheckr strongly recommends you create credentials using a role for cross-account access because it is a more secure way of granting programmatic access to your AWS accounts. IAM access keys require periodic rotation and can be shared or stolen.


To analyze your Amazon Web Services (AWS) account, CloudCheckr needs credentials for the account. The preferred method for creating credentials is to create a role for cross-account access.

In this procedure, you will learn how to:

  • create a cross-account access role
  • attach the AWS Read-Only policy to the role
  • create a secondary IAM policy
  • attach the secondary policy to the cross-account access role
  • copy an ARN resource to your account

Create a Cross-Account Access Role and Attach the AWS Read-Only Policy

  1. Login to your AWS Management Console.
  2. Load the Identity and Access Management (IAM) dashboard.
  3. The Welcome to Identity and Access Management screen displays.

  4. Click Roles on the left side of the console.
  5. The Roles page opens.

  6. From the middle of the page, click Create role.
  7. The Create role page opens.

  8. From the Select role type section, click Another AWS account.
  9. The screen prompts you to add an Account ID and other options.

  10. Copy the account ID from your Cloudcheckr account.
    1. Launch Cloudcheckr.
    2. From the left navigation pane, select Account Settings > AWS Credentials.
    3. Click Toggle Manual.
    4. From the Edit AWS Credentials field in step 8 on the page, copy the account ID.
    5. Return to AWS and paste the account ID into the corresponding text field.

  11. In the Options section, select Require external ID (Best practice when a third party will assume this role).
  12. Information about the security of your role displays.

  13. Copy the external ID from your Cloudcheckr account.
    1. Return to Cloudcheckr.
    2. From the left navigation pane, select Account Settings > AWS Credentials.
    3. From the User a Role for Cross-Account Access tab, copy the external ID.
    4. Return to AWS and paste the external ID into the corresponding text field.
    5. Verify that the Require MFA radio button is not selected.
  14. Return to Cloudcheckr.
  15. Click Next: Permissions.
  16. A list of policies displays.

  17. Select the ReadOnlyAccess policy from the list and click Next: Review.
  18. The Review page opens.

  19. Enter the name of your role, and click Create role.

Note:  We recommend choosing a name that will be easy for you to recognize.

AWS creates the new role and adds it to the list of roles.


Attach the Secondary Policy

Now, you will create a new secondary policy to cover the items that Cloudcheckr reports on that are not covered by the Amazon default Read-Only policy.

  1. Click Policies on the left side of the console.
  2. A list of policies displays.

  3. Click Create Policy.
  4. The Create Policy page displays.

  5. Navigate to the Create Your Own Policy option and click Select.
  6. In the Policy Name text field, type a name for your policy. We recommend you name your policy Cloudcheckr for easy identification.
  7. In the Description text field, type a description for your policy.
  8. You can download the secondary IAM policy here, or copy the policy from below.

    Updated 2015-12-28

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "AdditionalPermissions",
                "Effect": "Allow",
                "Action": [
                    "cloudformation:GetStackPolicy",
                    "cloudhsm:Describe*",
                    "cloudhsm:List*",
                    "glacier:List*",
                    "glacier:DescribeVault",
                    "glacier:GetVaultNotifications",
                    "glacier:DescribeJob",
                    "glacier:GetJobOutput",
                    "sdb:DomainMetadata",
                    "support:*",
                    "workspaces:DescribeWorkspaceDirectories",
                    "workspaces:DescribeWorkspaceBundles",
                    "workspaces:DescribeWorkspaces"
                ],
                "Resource": "*"
            },
            {
                "Sid": "CloudWatchLogsSpecific",
                "Effect": "Allow",
                "Action": [
                    "logs:GetLogEvents",
                    "logs:DescribeLogGroups",
                    "logs:DescribeLogStreams"
                ],
                "Resource": [
                    "arn:aws:logs:*:*:*"
                ]
            }
        ]
    }
    

  9. Click Validate Policy.
  10. The message, This policy is valid, displays.

  11. Click Create Policy.

The secondary policy is added to the list of policies.


Attach the Secondary Policy to the Cross-Account Access Role

  1. Click Roles on the left side of the console.
  2. From the list of roles, click the cross-account role that you created earlier in this procedure.
  3. A summary of the role displays.

  4. Click Attach policy.
  5. A list of policies displays.

  6. Select the secondary policy and click Attach policy.

The secondary policy, in addition to the AWS Read-Only policy, are attached to the cross-acccount access role.


Copy an ARN Resource to Your Account

When creating the secondary policy, you will need to change the CloudWatchLogsSpecific Resource ARN on your AWS environment:

  • Standard AWS Accounts will use “arn:aws:logs:*:*:*”.
  • GovCloud will use “arn:aws-us-gov:logs:*:*:*”,
  • China Region accounts will use “arn:aws-cn:logs:*:*:*”.
  1. Click Roles on the left side of the console.
  2. Copy the Role ARN from the top of the Summary page. It has the format arn:aws:iam::YourAccountIDHere:role/CloudChecrRole.
  3. Return to Cloudcheckr.
  4. From the left navigation pane, select Account Settings > AWS Credentials.
  5. The Use a Role for Cross-Account Access tab displays by default.

  6. In the AWS Role ARN text field, paste the role ARN you copied over from AWS.
  7. Click Update.

Cloudcheckr will begin populating your account with data. Depending on the size of your AWS account, this can take a few hours or more.

Note: You can access specific permissions to allow Cloudcheckr’s Automation features to work here: https://support.cloudcheckr.com/automation/
You can add these permissions as another policy to your cross-account access role.