Versions Compared

Version Old Version 2 New Version 3
Changes made by

Sagar Salokhe (Unlicensed)

Christine Gross

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Enable CloudFormation StackSets service in AWS Organization management account.

Login Log into the Management Account of your AWS Organization. Go to the AWS Organizations console. Go Navigate to the Services tab . And enable CloudFormationStackSets and enable access for CloudFormation StackSets .

...

Template for Zilla-IAM-Reader-Role

Save the template below template in to a file with extension .yml. For example, zilla-iam-reader-role-template.yml .

Code Block
AWSTemplateFormatVersion: 2010-09-09
Description: 'Zilla IAM Reader Role to sync an aws account'
Parameters:
  ZillaIAMReaderRoleName:
    Type: String
    Description: 'Provide a role name (Example: Zilla-IAM-Reader-Role)'
    AllowedPattern: '[-_a-zA-Z0-9]*'
    Default: Zilla-IAM-Reader-Role
  ZillaExternalID:
    Type: String
    Description: 'Provide an ExternalID (Example: Xoih821ddwf)'
    MinLength: '1'
    AllowedPattern: '[a-zA-Z0-9\=\,\.\@\:\/\-_]*'
    Default: zillasecurity.com
    ConstraintDescription: >-
      ExternalID must contain alphanumeric characters and only these special
      characters are allowed =,.@:/-. 
  ZillaAccountId:
    Description: >-
      Zilla AWS account ID that is allowed to assume this IAM role. Avoid
      changing!
    Type: String
    Default: '087210011007'
Resources:
  ZillaIAMRole:
    Type: 'AWS::IAM::Role'
    DeletionPolicy: 'Retain'
    Properties:
      RoleName: !Ref ZillaIAMReaderRoleName
      Description: 'IAM Role to allow Zilla AWS account read access to IAM service of this account.'
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/SecurityAudit'
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              AWS: !Sub 
                - 'arn:aws:iam::${ZillaAccountId}:root'
                - ZillaAWSAccountId: !Ref ZillaAccountId
            Action:
              - 'sts:AssumeRole'
            Condition:
              StringEquals:
                'sts:ExternalId': !Ref ZillaExternalID
Metadata:
  'AWS::CloudFormation::Interface':
    ParameterGroups:
      - Label:
          default: Zilla Account Information
        Parameters:
          - ZillaIAMReaderRoleName
          - ZillaExternalID
Outputs:
    ZillaIAMReaderRoleARN:
      Value: !GetAtt ZillaIAMRole.Arn
      Description: Zilla IAM Reader Role ARN

Steps To Create Zilla-IAM-Reader-Role in all member accounts of AWS

...

Organization

Create stack set for Zilla-IAM-Reader-Role

  1. Login into the Management account of your AWS organizationOrganization.

  2. Go to CloudFormation console . And go to Stack setsand navigate to StackSets.

     

  3. Click on Create stack setStackSet. Select Service-managed permissions.

     

  4. Select Template is ready . Upload the template file zilla-iam-reader-role-template.yml from local that you saved above. Click Next .

     

  5. Give a name to the stackset .
    Update StackSet and update the parameter values. :
    ZillaIAMReaderRoleName should be Zilla-IAM-Reader-Role.
    ZillaExternalId ZillaExternalID should be your company domain name. For example: If your company’s domain name is example.com, then enter the value as example.com.
    ZillaAccountId should be 087210011007
    Click on Next.

     

  6. Click On Next.

     

  7. Select Deploy new stacks , Deploy to organization, Eanble Auto-and enable Automatic deployment. Select `US US East (N. Verginia) Region And click on Virginia) for the region and click Next.

  8. Review the final details.

  9. Acknowledge the stack set StackSet creation and click on Submit.

  10. Check the status of the stack set StackSet by checking the stack Stack instances tab. Wait for Status column to show CURRENT for each member account.

...