Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Prerequisite

Enable CloudFormation StackSets service in AWS Organization management account.

Login into the Management Account of your AWS Organization. Go to the AWS Organizations console. Go to Services tab. And enable CloudFormationStackSets .

Template for Zilla-IAM-Reader-Role

Save the below template in a file with extension .yml . For example zilla-iam-reader-role-template.yml .

AWSTemplateFormatVersion: 2010-09-09
Description: 'Zilla IAM Reader Role to sync an aws account'
Parameters:
  ZillaIAMReaderRoleName:
    Type: String
    Description: 'Provide a role name (Example: Zilla-IAM-Reader-Role)'
    AllowedPattern: '[-_a-zA-Z0-9]*'
    Default: Zilla-IAM-Reader-Role
  ZillaExternalID:
    Type: String
    Description: 'Provide an ExternalID (Example: Xoih821ddwf)'
    MinLength: '1'
    AllowedPattern: '[a-zA-Z0-9\=\,\.\@\:\/\-_]*'
    Default: zillasecurity.com
    ConstraintDescription: >-
      ExternalID must contain alphanumeric characters and only these special
      characters are allowed =,.@:/-. 
  ZillaAccountId:
    Description: >-
      Zilla AWS account ID that is allowed to assume this IAM role. Avoid
      changing!
    Type: String
    Default: '087210011007'
Resources:
  ZillaIAMRole:
    Type: 'AWS::IAM::Role'
    DeletionPolicy: 'Retain'
    Properties:
      RoleName: !Ref ZillaIAMReaderRoleName
      Description: 'IAM Role to allow Zilla AWS account read access to IAM service of this account.'
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/SecurityAudit'
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              AWS: !Sub 
                - 'arn:aws:iam::${ZillaAccountId}:root'
                - ZillaAWSAccountId: !Ref ZillaAccountId
            Action:
              - 'sts:AssumeRole'
            Condition:
              StringEquals:
                'sts:ExternalId': !Ref ZillaExternalID
Metadata:
  'AWS::CloudFormation::Interface':
    ParameterGroups:
      - Label:
          default: Zilla Account Information
        Parameters:
          - ZillaIAMReaderRoleName
          - ZillaExternalID
Outputs:
    ZillaIAMReaderRoleARN:
      Value: !GetAtt ZillaIAMRole.Arn
      Description: Zilla IAM Reader Role ARN

Steps To Create Zilla-IAM-Reader-Role in all member accounts of AWS organization

Create stack set for Zilla-IAM-Reader-Role

  1. Login into the management account of the AWS organization.

  2. Go to CloudFormation console. And go to Stack sets.

     

  3. Click on Create stack set. Select Service-managed permissions

     

  4. Select Template is ready . Upload the template file zilla-iam-reader-role-template.yml from local.

     

  5. Give name to the stackset

     

  6. Update the parameter values.
    ZillaIAMReaderRoleName should be Zilla-IAM-Reader-Role.
    ZillaExternalId should be your company domain name.
    ZillaAccountId should be 087210011007

     

  7. Select Deploy new stacks , Deploy to organization, Eanble Auto-deployment. Select `US East (N. Verginia) Region And click on Next.

  8. Review the final details.

  9. Acknowledge the stack set creation and click on Submit.

 

 

  • No labels