Versions Compared

Version Old Version 3 New Version Current
Changes made by

Christine Gross

Mike (Bin) Li

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
AWSTemplateFormatVersion: 2010-09-09
Description: 'Zilla IAM Reader Role to sync an aws account'
Parameters:
  ZillaIAMReaderRoleName:
    Type: String
    Description: 'Provide a role name (Example: Zilla-IAM-Reader-Role)'
    AllowedPattern: '[-_a-zA-Z0-9]*'
    Default: Zilla-IAM-Reader-Role
  ZillaExternalID:
    Type: String
    Description: 'Provide an ExternalID (Example: Xoih821ddwf)'
    MinLength: '1'
    AllowedPattern: '[a-zA-Z0-9\=\,\.\@\:\/\-_]*'
    Default: zillasecurity.com
    ConstraintDescription: >-
      ExternalID must contain alphanumeric characters and only these special
      characters are allowed =,.@:/-. 
  ZillaAccountId:
    Description: >-
      Zilla AWS account ID that is allowed to assume this IAM role. Avoid
      changing!
    Type: String
    #region specific default value for account ID: US/087210011007, EU/319105906071, ANZ/868976368166 
    Default: '087210011007'
Resources:
  ZillaIAMRole:
    Type: 'AWS::IAM::Role'
    DeletionPolicy: 'Retain'
    Properties:
      RoleName: !Ref ZillaIAMReaderRoleName
      Description: 'IAM Role to allow Zilla AWS account read access to IAM service of this account.'
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/SecurityAudit'
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              AWS: !Sub 
                - 'arn:aws:iam::${ZillaAccountId}:root'
                - ZillaAWSAccountId: !Ref ZillaAccountId
            Action:
              - 'sts:AssumeRole'
            Condition:
              StringEquals:
                'sts:ExternalId': !Ref ZillaExternalID
Metadata:
  'AWS::CloudFormation::Interface':
    ParameterGroups:
      - Label:
          default: Zilla Account Information
        Parameters:
          - ZillaIAMReaderRoleName
          - ZillaExternalID
Outputs:
    ZillaIAMReaderRoleARN:
      Value: !GetAtt ZillaIAMRole.Arn
      Description: Zilla IAM Reader Role ARN

...

Create stack set for Zilla-IAM-Reader-Role

  1. Login into the Management account of your AWS Organization.

  2. Go to CloudFormation console and navigate to StackSets.

    Image Modified

     

  3. Click Create StackSet. Select Service-managed permissions.

    Image Modified

     

  4. Select Template is ready . Upload the template file zilla-iam-reader-role-template.yml from local that you saved above. Click Next .

    Image Modified

     

  5. Give a name to the StackSet and update the parameter values:
    ZillaIAMReaderRoleName should be Zilla-IAM-Reader-Role.
    ZillaExternalID should be your company domain name. For example: If your company’s domain name is example.com, then enter the value as example.com.
    ZillaAccountId should be region specific Zilla’s Account ID:

    • US region Account ID: 087210011007

    • EU region Account ID: 319105906071

    • Australia/New Zealand region Account ID: 868976368166

  6. Click Next.

    Image Modified

     

    Image Modified

  7. Click Next.

    Image Modified

     

  8. Select Deploy new stacks , Deploy to organization, and enable Automatic deployment. Select

...

  1. region and click Next.

    Image ModifiedImage Modified

  2. Review the final details.

  3. Acknowledge the StackSet creation and click Submit.

    Image Modified

  4. Check the status of the StackSet by checking the Stack instances tab. Wait for Status column to show CURRENT for each member account.

    Image Modified