/
AWS CloudFormation For Creating Zilla-IAM-Reader-Role

AWS CloudFormation For Creating Zilla-IAM-Reader-Role

Template for Zilla-IAM-Reader-Role

Save the below template in a file with extension .yml . For example zilla-iam-reader-role-template.yml .

AWSTemplateFormatVersion: 2010-09-09 Description: 'Zilla IAM Reader Role to sync an aws account' Parameters: ZillaIAMReaderRoleName: Type: String Description: 'Provide a role name (Example: Zilla-IAM-Reader-Role)' AllowedPattern: '[-_a-zA-Z0-9]*' Default: Zilla-IAM-Reader-Role ZillaExternalID: Type: String Description: 'Provide an ExternalID (Example: Xoih821ddwf)' MinLength: '1' AllowedPattern: '[a-zA-Z0-9\=\,\.\@\:\/\-_]*' Default: zillasecurity.com ConstraintDescription: >- ExternalID must contain alphanumeric characters and only these special characters are allowed =,.@:/-. ZillaAccountId: Description: >- Zilla AWS account ID that is allowed to assume this IAM role. Avoid changing! Type: String Default: '087210011007' Resources: ZillaIAMRole: Type: 'AWS::IAM::Role' DeletionPolicy: 'Retain' Properties: RoleName: !Ref ZillaIAMReaderRoleName Description: 'IAM Role to allow Zilla AWS account read access to IAM service of this account.' ManagedPolicyArns: - 'arn:aws:iam::aws:policy/SecurityAudit' AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: AWS: !Sub - 'arn:aws:iam::${ZillaAccountId}:root' - ZillaAWSAccountId: !Ref ZillaAccountId Action: - 'sts:AssumeRole' Condition: StringEquals: 'sts:ExternalId': !Ref ZillaExternalID Metadata: 'AWS::CloudFormation::Interface': ParameterGroups: - Label: default: Zilla Account Information Parameters: - ZillaIAMReaderRoleName - ZillaExternalID Outputs: ZillaIAMReaderRoleARN: Value: !GetAtt ZillaIAMRole.Arn Description: Zilla IAM Reader Role ARN

 

Create stack for Zilla-IAM-Reader-Role

  1. Go to CloudFormation stack and create stack. Click on With new resources (standard) under Create stack dropdown.

     

  2. Select Template is ready and upload the zilla-iam-reader-role-template.yml from local. Click on Next .

     

  3. Give a name to the stack and add the parameter values:

    1. ZillaIAMReaderRoleName should be Zilla-IAM-Reader-Role.

    2. ZillaExternalID should be your company domain name. For example: If your company’s domain name is acme-corp.com, then enter the value as acme-corp.com .

    3. ZillaAccountId should be 087210011007
      Click on Next .

       

  4. Click Next on Configuration stack options page.

     

  5. Review the details and create the stack.

     

  6. Check the status of the stack. Go to the Events tab. Wait for the Status to become CREATE_COMPLETE.

     

  7. Go to the IAM console, On Roles page search for Zilla-IAM-Reader-Role. Copy the Role ARN for providing it in sync settings in Zilla.