Create a Cross-Account Role Manually

Follow this procedure to learn how to create a cross-account role in the AWS Management Console and add the credentials to CloudCheckr.


  1. Launch the AWS Management Console.

    The AWS services page opens.
  2. Scroll down to the Security, Identity & Compliance section and select IAM.

    The Welcome to Identity and Access Management screen displays.

  3. From the dashboard, click Roles.

    The Roles page opens.

  4. From the middle of the page, click Create role.

    The Create role page opens.
  5. In the Select type of trusted entity section, click Another AWS account.

    The screen prompts you to add an Account ID value and other options.

    1. Return to your selected account in CloudCheckr.
    2. Select your account from the Accounts List page.
    3. From the left navigation pane, select Account Settings > AWS Credentials.

      The Credentials page opens. The Use a Role for Cross-Account Access tab will be displayed by default.
    4. Click Toggle Manual vs CloudFormation to view the instructions on how to create a cross-account role manually.
    5. Copy the account ID identified in the instructions.

  6. Paste the account ID from your CloudCheckr account.
  7. In the Options section, select the Require external ID (Best practice when a third party will assume this role) checkbox.

    Information about the external ID displays.

  8. Paste the external ID value from your CloudCheckr account and verify that the Require MFA radio button is not selected.

    1. Return to the Credentials page in CloudCheckr.
    2. Copy the external ID identified in the instructions.

  9. Click Next: Permissions.

    A list of policies displays.
  10. Select the checkbox associated with the policy you created and click Next: Tags.

    The Add tags (optional) page displays. This is an optional step. For the purposes of this procedure, we will not add tags.
  11. Click Next: Review.
  12. The Review page opens.

  13. Type a name for the role, and click Create role.

    The role is added to the list.
  14. From the list, select the checkbox associated with your new role and click the role name.

    The Summary page for the role opens. At the top of the page, you will see the Role ARN value.

    ARN values use this format: arn:aws:iam::YourAccountIDHere:role/CloudCheckrRole.
    CloudCheckr only supports cross-account access for Standard (Commercial) accounts. You cannot change this setting.
  15. Click the Copy icon next to the Role ARN.

  16. Return to the Credentials page in CloudCheckr, and perform the following actions:
    1. Scroll down to the step that refers to accounts from India.
    2. Select the This account is managed by AISPL checkbox if this is an account from India managed by Amazon Internet Services Pvt. Ltd (AISPL).
    3. Paste the Role ARN value in the AWS Role ARN field.

    4. Click Update.

How did we do?