Multiple AWS Accounts Support
Introduction
Following prerequisites must be completed to be able to use AWS connector on multiple AWS accounts.
For this kind of setup, we need to delegate access to all AWS accounts Using IAM Roles. This includes using role and establishing trust-based access. Trust relationship will be created between master account and a group of tenant accounts.
The Federation looks like this:
Please note following terms -
- Master Account – The account which has a user with the permissions to access the resources of all other accounts. This user is supposed to be the connector user. When you create a connector, note that we require the credentials of this user.
- Child Account – The account which has established the trust-based relationship with the master account whose resources master account user can scan.
Prerequisites for setup –
- To use ‘N’ separate accounts, one represents master account and N-1 children accounts.
- The User in the master account who is intended to scan the resources of the children accounts.
Create Role
To allow users from one AWS account to access resources in another AWS account, create a role that has permissions which we have already documented for the current connector to work. [Refer this – Permissions needed for running AWS Connector].
(i) Obtain the account number of the master account-
a. Sign in to the AWS Management Console as an administrator of the Development account.
b. In the navigation bar, choose Support, and then Support Center. The Account Number is in the upper right corner immediately below the Support menu. The account ID is a 12-digit number.
(ii) When creating the role, choose Another AWS Account as role type, and use above obtained account ID like this,
(iii) Once the sample connector role is created with connector running permissions as policy, the role should look like this. It will show a tab "Trust Relationships" where you will see the master account as the trusted entity.
[Refer this for detailed instructions - https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html ].
(iv) At this point, we have ARNs for Connector Role1 and Connector Role2. Copy the ARNs of these roles for your children accounts.
Grant Access to the role to the master account
At this point master account groups have permissions to access resources in the children accounts. You can add necessary permissions to the specific user you want to be able to access resources. For that, you need to modify the policy of the user/group in the master account which is going to access resources. While creating/modifying this policy, copy the ARNs of the Connector Role1 and Connector Role 2 that are obtained from step2. When you create a connector, note that we require the credentials of the user who has this policy attached. There are only three ways of granting access role which is supported.
a) Master account user has assume role policy directly attached.
b) Master account user has the group attached with inline policy. This inline policy has necessary assume roles.
c) Master account user has the group attached with a policy that has necessary assume Roles.
Test access by switching roles
After completing the first two, you have roles that grant access to a resource in the children accounts. You can test the setup by using the user who has no access to children account and with the user who has this access. The accounts for which trust-based access is established, only those tenant accounts can be scanned.
Similar instruction can be found on –[https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html]