Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Prerequisite

Enable CloudFormation StackSets service in AWS Organization management account.

Login into the Management Account of your AWS Organization. Go to the AWS Organizations console. Go to Services tab. And enable CloudFormationStackSets .

...

There are two options to create Zilla-IAM-Reader-Role and Zilla-SSO-Reader-Role in AWS accounts.

  1. Create Roles using AWS IAM console by logging in into to each Member Account of AWS Organization.
    OR

  2. Create Roles using AWS CloudFormation from Management Account of AWS Organization.

Steps to create roles manually using IAM console:

  1. Login into each AWS Member Account and create Zilla-IAM-Reader-Role

...

Save the below template in a file with extension .yml . For example zilla-iam-reader-role-template.yml .

Code Block
AWSTemplateFormatVersion: 2010-09-09
Description: 'Zilla IAM Reader Role to sync an aws account'
Parameters:
  ZillaIAMReaderRoleName:
    Type: String
    Description: 'Provide a role name (Example: Zilla-IAM-Reader-Role)'
    AllowedPattern: '[-_a-zA-Z0-9]*'
    Default: Zilla-IAM-Reader-Role
  ZillaExternalID:
    Type: String
    Description: 'Provide an ExternalID (Example: Xoih821ddwf)'
    MinLength: '1'
    AllowedPattern: '[a-zA-Z0-9\=\,\.\@\:\/\-_]*'
    Default: zillasecurity.com
    ConstraintDescription: >-
      ExternalID must contain alphanumeric characters and only these special
      characters are allowed =,.@:/-. 
  ZillaAccountId:
    Description: >-
      Zilla AWS account ID that is allowed to assume this IAM role. Avoid
      changing!
    Type: String
    Default: '087210011007'
Resources:
  ZillaIAMRole:
    Type: 'AWS::IAM::Role'
    DeletionPolicy: 'Retain'
    Properties:
      RoleName: !Ref ZillaIAMReaderRoleName
      Description: 'IAM Role to allow Zilla AWS account read access to IAM service of this account.'
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/SecurityAudit'
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              AWS: !Sub 
                - 'arn:aws:iam::${ZillaAccountId}:root'
                - ZillaAWSAccountId: !Ref ZillaAccountId
            Action:
              - 'sts:AssumeRole'
            Condition:
              StringEquals:
                'sts:ExternalId': !Ref ZillaExternalID
Metadata:
  'AWS::CloudFormation::Interface':
    ParameterGroups:
      - Label:
          default: Zilla Account Information
        Parameters:
          - ZillaIAMReaderRoleName
          - ZillaExternalID
Outputs:
    ZillaIAMReaderRoleARN:
      Value: !GetAtt ZillaIAMRole.Arn
      Description: Zilla IAM Reader Role ARN

Template for Zilla-SSO-Reader-Role

Save the below template in a file with extension .yml . For example zilla-sso-reader-role-template.yml .

Code Block
AWSTemplateFormatVersion: 2010-09-09
Description: 'Zilla SSO Reader Role to sync SSO users, groups and permission sets'
Parameters:
  ZillaSSOReaderRoleName:
    Type: String
    Description: 'Provide a role name (Example: Zilla-SSO-Reader-Role)'
    AllowedPattern: '[-_a-zA-Z0-9]*'
    Default: Zilla-SSO-Reader-Role
  ZillaExternalID:
    Type: String
    Description: 'Provide an ExternalID (Example: Xoih821ddwf)'
    MinLength: '1'
    AllowedPattern: '[a-zA-Z0-9\=\,\.\@\:\/\-_]*'
    Default: zillasecurity.com
    ConstraintDescription: >-
      ExternalID must contain alphanumeric characters and only these special
      characters are allowed =,.@:/-. 
  ZillaAccountId:
    Description: >-
      Zilla AWS account ID that is allowed to assume this IAM role. Avoid
      changing!
    Type: String
    Default: '087210011007'
Resources:
  ZillaIAMRole:
    Type: 'AWS::IAM::Role'
    DeletionPolicy: 'Retain'
    Properties:
      RoleName: !Ref ZillaSSOReaderRoleName
      Description: 'IAM Role to allow Zilla to read SSO Users, Groups and Permission Sets.'
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/AWSSSOReadOnly'
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              AWS: !Sub 
                - 'arn:aws:iam::${ZillaAccountId}:root'
                - ZillaAWSAccountId: !Ref ZillaAccountId
            Action:
              - 'sts:AssumeRole'
            Condition:
              StringEquals:
                'sts:ExternalId': !Ref ZillaExternalID
      Policies:
          - PolicyName: zilla-sso-reader-policy
            PolicyDocument:
              Version: '2012-10-17'
              Statement:
                - Effect: Allow
                  Resource: '*'
                  Action:
                    - identitystore:Describe*
                    - identitystore:List*
    Metadata:
      'AWS::CloudFormation::Designer':
        id: a1259fc6-a6fe-4e2d-af45-7299bdcf7bc8
Metadata:
  'AWS::CloudFormation::Interface':
    ParameterGroups:
      - Label:
          default: Zilla Account Information
        Parameters:
          - ZillaSSOReaderRoleName
          - ZillaExternalID
Outputs:
    ZillaSSOReaderRoleARN:
      Value: !GetAtt ZillaIAMRole.Arn
      Description: Zilla SSO Reader Role ARN

...

  1. using steps - AWS - Create an IAM Role for IAM Users, Groups, Roles and Resources

  2. Login into Management Account of AWS Organization and create Zilla-IAM-Reader-Role using steps - AWS - Create an IAM Role for IAM Users, Groups, Roles and Resources

  3. Login into Management Account of AWS Organization and create Zilla-SSO-Reader-Role using steps - AWS Organization - Create an IAM Role for SSO Users, Groups and Permission Set

Steps to create roles using CloudFormation:

  1. Login into Management Account of your AWS Organization.

  2. Create Zilla-IAM-Reader-Role in all

...

  1. Member accounts of AWS organization

...

Create stack set for Zilla-IAM-Reader-Role

  1. Login into the management account of the AWS organization.

  2. Go to CloudFormation console. And go to Stack sets.

    Image Removed

  3. Click on Create stack set. Select Service-managed permissions

    Image Removed

  4. Select Template is ready . Upload the template file zilla-iam-reader-role-template.yml from local.

    Image Removed

  5. Give name to the stackset

    Image Removed

  6. Update the parameter values.
    ZillaIAMReaderRoleName should be using steps - AWS Organization - AWS CloudFormation For Creating Zilla-IAM-Reader-Role .
    ZillaExternalId should be your company domain name.
    ZillaAccountId should be 087210011007

    Image Removed

  7. Select Deploy new stacks , Deploy to organization, Eanble Auto-deployment. Select `US East (N. Verginia) Region And click on Next.

    Image RemovedImage Removed
  8. Review the final details.

  9. Acknowledge the stack set creation and click on Submit.

    Image Removed

...

  1. In Member Accounts

  2. Create Zilla-IAM

...

  1. -Reader-Role in Management Account of the AWS Organization

...

  1. using steps - AWS CloudFormation For Creating Zilla-IAM-Reader-Role

...

  1. Go to Cloud formation stack and create stack

    Image Removed

  2. Select Template is ready. And upload the zilla-iam-reader-role-template.yml from local.

    Image Removed

  3. Give a name to the stack and add the parameter values.

    Image Removed

  4. Review the details and create the stack.

    Image Removed
  5. Create

...

  1. Zilla-SSO-Reader-Role in Management Account

...

  1. Go to Cloud formation stack and create stack

    Image Removed

  2. Select Template is ready. And upload the of the AWS Organization using steps - AWS CloudFormation For Creating Zilla-SSO-Reader-Role template as in a yml file from local.

    Image Removed

  3. Give a name to the stack and add the parameter values.

    Image Removed

  4. Review the details and create the stack.

    Image Removed