AWS Organization - AWS CloudFormation For Creating Zilla-IAM-Reader-Role In Member Accounts

Prerequisite

Enable CloudFormation StackSets service in AWS Organization management account.

Log into the Management Account of your AWS Organization. Go to the AWS Organizations console. Navigate to the Services tab and enable access for CloudFormation StackSets .

Template for Zilla-IAM-Reader-Role

Save the template below to a file with extension .yml. For example, zilla-iam-reader-role-template.yml .

AWSTemplateFormatVersion: 2010-09-09
Description: 'Zilla IAM Reader Role to sync an aws account'
Parameters:
  ZillaIAMReaderRoleName:
    Type: String
    Description: 'Provide a role name (Example: Zilla-IAM-Reader-Role)'
    AllowedPattern: '[-_a-zA-Z0-9]*'
    Default: Zilla-IAM-Reader-Role
  ZillaExternalID:
    Type: String
    Description: 'Provide an ExternalID (Example: Xoih821ddwf)'
    MinLength: '1'
    AllowedPattern: '[a-zA-Z0-9\=\,\.\@\:\/\-_]*'
    Default: zillasecurity.com
    ConstraintDescription: >-
      ExternalID must contain alphanumeric characters and only these special
      characters are allowed =,.@:/-. 
  ZillaAccountId:
    Description: >-
      Zilla AWS account ID that is allowed to assume this IAM role. Avoid
      changing!
    Type: String
    #region specific default value for account ID: US/087210011007, EU/319105906071, ANZ/868976368166 
    Default: '087210011007'
Resources:
  ZillaIAMRole:
    Type: 'AWS::IAM::Role'
    DeletionPolicy: 'Retain'
    Properties:
      RoleName: !Ref ZillaIAMReaderRoleName
      Description: 'IAM Role to allow Zilla AWS account read access to IAM service of this account.'
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/SecurityAudit'
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              AWS: !Sub 
                - 'arn:aws:iam::${ZillaAccountId}:root'
                - ZillaAWSAccountId: !Ref ZillaAccountId
            Action:
              - 'sts:AssumeRole'
            Condition:
              StringEquals:
                'sts:ExternalId': !Ref ZillaExternalID
Metadata:
  'AWS::CloudFormation::Interface':
    ParameterGroups:
      - Label:
          default: Zilla Account Information
        Parameters:
          - ZillaIAMReaderRoleName
          - ZillaExternalID
Outputs:
    ZillaIAMReaderRoleARN:
      Value: !GetAtt ZillaIAMRole.Arn
      Description: Zilla IAM Reader Role ARN

Steps To Create Zilla-IAM-Reader-Role in all member accounts of AWS Organization

Create stack set for Zilla-IAM-Reader-Role

Login into the Management account of your AWS Organization.
Go to CloudFormation console and navigate to StackSets.
Click Create StackSet. Select Service-managed permissions.
Select Template is ready . Upload the template file zilla-iam-reader-role-template.yml from local that you saved above. Click Next .
Give a name to the StackSet and update the parameter values:
ZillaIAMReaderRoleName should be Zilla-IAM-Reader-Role.
ZillaExternalID should be your company domain name. For example: If your company’s domain name is example.com, then enter the value as example.com.
ZillaAccountId should be region specific Zilla’s Account ID:
- US region Account ID: 087210011007
- EU region Account ID: 319105906071
- Australia/New Zealand region Account ID: 868976368166
Click Next.
Click Next.
Select Deploy new stacks , Deploy to organization, and enable Automatic deployment. Select region and click Next.
Review the final details.
Acknowledge the StackSet creation and click Submit.
Check the status of the StackSet by checking the Stack instances tab. Wait for Status column to show CURRENT for each member account.