Creating A Role For Cross-Account Access

We strongly recommend you use Roles for Cross-Account Access instead of IAM Access Keys. IAM Access Keys require periodic rotation and can be shared or stolen. Roles for Cross-Account Access are a more secure way of granting programmatic access to your AWS accounts. Only use IAM Access Keys if you absolutely must.

Follow these steps to allow CloudCheckr to access your account using an IAM Role.

Step 1:

Prior to creating the role you will want to create your account in CloudCheckr.  At first, this will be a credential-less account that will eventually house the assigned Cross-Account Role. You can find steps for creating the account here. There are many customizations you can do, but at a minimum you will need to perform step 1 on the linked page — Creating An Account Within CloudCheckr. When you have completed creating an account within CloudCheckr, return to this page.


Step 2 (Choosing your Role-creation method):

You can add a cross-account role in either an automatic or manual way. The two methods are defined as such:

Automatic method: Uses a CloudFormation stack to create a role with an AWS security policy containing all relevant privileges. This method is quicker and easier, and has the advantage of a constantly-updated policy so that as soon as new AWS features are supported within CloudCheckr, your account will reflect any reporting on the new metrics. To use the automatic/CloudFormation role creation method click here. Once complete, you will not need to return to this page.

Manual method: The manual method involves the creation of a role and security policy within AWS IAM. If you want complete flexibility over how your roles are created, then use the manual method. The steps are detailed below.


Step 3 (Manual Method):

Login to your AWS Management Console and access the IAM Roles section by selecting IAM from the services list. Then click Roles.



Step 4:

Click the button Create New Role.

create new role



Step 5:

role for cross account access



Step 6:

AWS will ask for Account ID and External ID — enter the values found in your CloudCheckr account, at the bottom of the report navigation, under the section Account Settings > AWS Credentials > Tab: Use a Role for Cross-Account Access. When finished, select Update.


enter account id and stuff


Step 7:

Select the policy called ReadOnlyAccess. Click Next Step, then click Create Role.


Step 8:

Enter CloudCheckrRole as the role name and click Next Step.

Note: You can choose a different name for the role. We recommend using one you will recognize.



Step 9:

Create a new secondary policy to cover the items that CloudCheckr reports on that are not covered by the Amazon default Read-Only policy. First, click the Policies link on the left side of the console.

iam policies



Step 10:

Click the Create Policy button.



Step 11:

Choose Create Your Own Policy.


Step 12:

Add a name of your Policy. We recommend you name your policy “CloudCheckr” so you know its purpose, but you can use any name.


Step 13:

Add the CloudCheckr policy into the Policy Document.

You can download the secondary IAM policy here, or copy below.
Updated 2015-12-28

    "Version": "2012-10-17",
    "Statement": [
            "Sid": "AdditionalPermissions",
            "Effect": "Allow",
            "Action": [
            "Resource": "*"
            "Sid": "CloudWatchLogsSpecific",
            "Effect": "Allow",
            "Action": [
            "Resource": [

IMPORTANT: When creating the secondary policy you will need to change the CloudWatchLogsSpecific Resource ARN based on the AWS environment you’re working within. Standard AWS Accounts will use “arn:aws:logs:*:*:*”. GovCloud will use “arn:aws-us-gov:logs:*:*:*”, and China Region accounts will use “arn:aws-cn:logs:*:*:*”.



Another option for your CloudCheckr policy is to use our complete read-only access policy or a subset of it. By doing this, you can have discrete control over every permission in your policy. For more information, you can click on the following links:



Step 14:

Select Validate Policy and then Click the Create Policy button.



Step 15:

Attach the newly-created secondary policy to your role.

Go to Roles, select your Role, and click Attach Policy.



Within the Attach Policy screen you can select your new secondary policy as created in Step 12.




Step 16:

Go to the Roles section and select your updated role. Copy the Role ARN that will have the format arn:aws:iam::YourAccountIDHere:role/CloudCheckrRole.



Step 17:

Return to CloudCheckr and navigate to the Edit AWS Credentials page. This is located at Account Settings > AWS Credentials.  By default, you will be on a tab called Use a Role for Cross-Account Access. Paste the copied Role ARN in the textbox AWS Role Arn. Click Update.




Step 18:

You can access specific permissions to allow CloudCheckr’s Automation features to work here:

These permissions can be added as another policy to your role via the instructions starting on Step 7.