Attach a Policy or Policies to a Cross-Account Role

After you have created a policy or policies, follow this procedure to see how to attach the policy or policies to a cross-account role.


Procedure

  1. From the dashboard, click Roles.

    The Roles page opens.

  2. From the middle of the page, click Create role.

    The Create role page opens.
  3. In the Select type of trusted entity section, click Another AWS account.

    The screen prompts you to add an Account ID value and other options.

    1. Return to your selected account in CloudCheckr.
    2. Select your account from the Accounts List page.
    3. From the left navigation pane, select Account Settings > AWS Credentials.
    4. Click Toggle Manual vs CloudFormation to create a cross-account role manually.
    5. Copy the account ID identified in the instructions.
  4. Paste the account ID from your CloudCheckr account.
  5. In the Options section, select Require external ID (Best practice when a third party will assume this role).

    Information about the external ID displays.

  6. Paste the external ID value from your CloudCheckr account and verify that the Require MFA radio button is not selected.

    1. Return to your selected account in CloudCheckr.
    2. Select your account from the Accounts List page.
    3. From the left navigation pane, select Account Settings > AWS Credentials.
    4. Click Toggle Manual vs CloudFormation to create a cross-account role manually.
    5. Copy the external ID identified in the instructions.
  7. Click Next: Permissions.

    A list of policies displays.
  8. Select the checkbox next to the policy or policies that you just added and click Next: Review.

    The Review page opens.

  9. Type a name for the role, and click Create role.

  10. From the list, click the name of your new role.

    Cross-Account Access is only supported for Standard (Commercial) accounts within CloudCheckr. You cannot change this setting.

    ARN values use this format: arn:aws:iam::YourAccountIDHere:role/CloudCheckrRole.
  11. Click the Copy icon next to the Role ARN.

  12. Select the checkbox if this is an account from India managed by Amazon Internet Services Pvt. Ltd (AISPL).
  13. Paste the Role ARN value in the field.
  14. Click Update.

How did we do?