Prerequisite
Enable CloudFormation StackSets service in AWS Organization management account.
Login into the Management Account of your AWS Organization. Go to the AWS Organizations
console. Go to Services tab. And enable CloudFormationStackSets
.
...
There are two options to create Zilla-IAM-Reader-Role and Zilla-SSO-Reader-Role in AWS accounts.
Create Roles using AWS IAM console by logging in into to each Member Account of AWS Organization.
ORCreate Roles using AWS CloudFormation from Management Account of AWS Organization.
Steps to create roles manually using IAM console:
Login into each AWS Member Account and create
Zilla-IAM-Reader-Role
...
Save the below template in a file with extension .yml
. For example zilla-iam-reader-role-template.yml
.
Code Block |
---|
AWSTemplateFormatVersion: 2010-09-09
Description: 'Zilla IAM Reader Role to sync an aws account'
Parameters:
ZillaIAMReaderRoleName:
Type: String
Description: 'Provide a role name (Example: Zilla-IAM-Reader-Role)'
AllowedPattern: '[-_a-zA-Z0-9]*'
Default: Zilla-IAM-Reader-Role
ZillaExternalID:
Type: String
Description: 'Provide an ExternalID (Example: Xoih821ddwf)'
MinLength: '1'
AllowedPattern: '[a-zA-Z0-9\=\,\.\@\:\/\-_]*'
Default: zillasecurity.com
ConstraintDescription: >-
ExternalID must contain alphanumeric characters and only these special
characters are allowed =,.@:/-.
ZillaAccountId:
Description: >-
Zilla AWS account ID that is allowed to assume this IAM role. Avoid
changing!
Type: String
Default: '087210011007'
Resources:
ZillaIAMRole:
Type: 'AWS::IAM::Role'
DeletionPolicy: 'Retain'
Properties:
RoleName: !Ref ZillaIAMReaderRoleName
Description: 'IAM Role to allow Zilla AWS account read access to IAM service of this account.'
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/SecurityAudit'
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
AWS: !Sub
- 'arn:aws:iam::${ZillaAccountId}:root'
- ZillaAWSAccountId: !Ref ZillaAccountId
Action:
- 'sts:AssumeRole'
Condition:
StringEquals:
'sts:ExternalId': !Ref ZillaExternalID
Metadata:
'AWS::CloudFormation::Interface':
ParameterGroups:
- Label:
default: Zilla Account Information
Parameters:
- ZillaIAMReaderRoleName
- ZillaExternalID
Outputs:
ZillaIAMReaderRoleARN:
Value: !GetAtt ZillaIAMRole.Arn
Description: Zilla IAM Reader Role ARN |
Template for Zilla-SSO-Reader-Role
Save the below template in a file with extension .yml
. For example zilla-sso-reader-role-template.yml
.
Code Block |
---|
AWSTemplateFormatVersion: 2010-09-09
Description: 'Zilla SSO Reader Role to sync SSO users, groups and permission sets'
Parameters:
ZillaSSOReaderRoleName:
Type: String
Description: 'Provide a role name (Example: Zilla-SSO-Reader-Role)'
AllowedPattern: '[-_a-zA-Z0-9]*'
Default: Zilla-SSO-Reader-Role
ZillaExternalID:
Type: String
Description: 'Provide an ExternalID (Example: Xoih821ddwf)'
MinLength: '1'
AllowedPattern: '[a-zA-Z0-9\=\,\.\@\:\/\-_]*'
Default: zillasecurity.com
ConstraintDescription: >-
ExternalID must contain alphanumeric characters and only these special
characters are allowed =,.@:/-.
ZillaAccountId:
Description: >-
Zilla AWS account ID that is allowed to assume this IAM role. Avoid
changing!
Type: String
Default: '087210011007'
Resources:
ZillaIAMRole:
Type: 'AWS::IAM::Role'
DeletionPolicy: 'Retain'
Properties:
RoleName: !Ref ZillaSSOReaderRoleName
Description: 'IAM Role to allow Zilla to read SSO Users, Groups and Permission Sets.'
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/AWSSSOReadOnly'
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
AWS: !Sub
- 'arn:aws:iam::${ZillaAccountId}:root'
- ZillaAWSAccountId: !Ref ZillaAccountId
Action:
- 'sts:AssumeRole'
Condition:
StringEquals:
'sts:ExternalId': !Ref ZillaExternalID
Policies:
- PolicyName: zilla-sso-reader-policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Resource: '*'
Action:
- identitystore:Describe*
- identitystore:List*
Metadata:
'AWS::CloudFormation::Designer':
id: a1259fc6-a6fe-4e2d-af45-7299bdcf7bc8
Metadata:
'AWS::CloudFormation::Interface':
ParameterGroups:
- Label:
default: Zilla Account Information
Parameters:
- ZillaSSOReaderRoleName
- ZillaExternalID
Outputs:
ZillaSSOReaderRoleARN:
Value: !GetAtt ZillaIAMRole.Arn
Description: Zilla SSO Reader Role ARN |
...
using steps - AWS - Create an IAM Role for IAM Users, Groups, Roles and Resources
Login into Management Account of AWS Organization and create
Zilla-IAM-Reader-Role
using steps - AWS - Create an IAM Role for IAM Users, Groups, Roles and ResourcesLogin into Management Account of AWS Organization and create
Zilla-SSO-Reader-Role
using steps - AWS Organization - Create an IAM Role for SSO Users, Groups and Permission Set
Steps to create roles using CloudFormation:
Login into Management Account of your AWS Organization.
Create
Zilla-IAM-Reader-Role
in all
...
Member accounts of AWS organization
...
Create stack set for Zilla-IAM-Reader-Role
Login into the management account of the AWS organization.
Go to CloudFormation console. And go to Stack sets.
Click on Create stack set. Select Service-managed permissions
Select
Template is ready
. Upload the template filezilla-iam-reader-role-template.yml
from local.Give name to the stackset
Update the parameter values.
ZillaIAMReaderRoleName
should be using steps - AWS Organization - AWS CloudFormation For Creating Zilla-IAM-Reader-Role .ZillaExternalId
should be your company domain name.ZillaAccountId
should be087210011007
Select
Deploy new stacks
,Deploy to organization
, Eanble Auto-deployment. Select `US East (N. Verginia) Region And click on Next.Review the final details.
Acknowledge the stack set creation and click on Submit.
...
Create
Zilla-IAM
...
-Reader-Role
in Management Account of the AWS Organization
...
using steps - AWS CloudFormation For Creating Zilla-IAM-Reader-Role
...
Go to Cloud formation stack and create stack
Select
Template is ready
. And upload thezilla-iam-reader-role-template.yml
from local.Give a name to the stack and add the parameter values.
Review the details and create the stack.
Create
...
Zilla-SSO-Reader-Role
in Management Account
...
Go to Cloud formation stack and create stack
Select
Template is ready
. And upload the of the AWS Organization using steps - AWS CloudFormation For Creating Zilla-SSO-Reader-Role template as in a yml file from local.Give a name to the stack and add the parameter values.
Review the details and create the stack.