Create a Cross-Account Role Manually

Prerequisite: If you are preparing your account for the first time, we recommend that you create least privilege policies before you create a cross-account role manually.

Creating a cross-account role manually is an alternative to the CloudFormation template, which is pre-configured with all your parameters and permissions. But when you create a cross-account role manually, you must attach each least privilege policy to your cross-account role separately.

To create a cross-account role manually:

  • In AWS: you will create a role, attach least privilege policies to your role, and copy the ARN value.
  • In CloudCheckr: you will apply the ARN value to finish credentialing your account with AWS.

Procedure

  1. Perform the following steps in the AWS Management Console:
    1. Log in to the AWS Management Console.

      The AWS services page opens.

    2. Scroll down to the Security, Identity & Compliance section and select IAM.

      The Welcome to Identity and Access Management screen displays.
    3. From the dashboard, click Roles.

      The Roles page opens.
    4. From the middle of the page, click Create role.

      The Create role page opens.

    5. In the Select type of trusted entity section, click Another AWS account.

  2. Copy the Account ID value from CloudCheckr.

    1. Launch CloudCheckr.
    2. Select your account from the Accounts List page. If you have not created a CloudCheckr account, go to the Create an Account in CloudCheckr topic.
    3. From the left navigation pane, select Account Settings > AWS Credentials.

      The Credentials page opens. The Use a Role for Cross-Account Access tab is displayed.

    4. Click Toggle Manual vs CloudFormation to view the instructions on how to create a cross-account role manually.
    5. Copy the account ID.
  3. Return to the AWS Management Console and perform the following steps:
    1. Paste the account ID from CloudCheckr.
    2. In the Options section, select the Require external ID (Best practice when a third party will assume this role) checkbox.
  4. Copy the External ID value from CloudCheckr.

    1. Return to the Credentials page for your selected account in CloudCheckr.
    2. Copy the external ID.
  5. Return to the AWS Management Console and perform the following steps:
    1. Paste the external ID value and verify that the Require MFA radio button is not selected.
    2. Click Next: Permissions.

      A list of policies displays.

    3. Select the checkbox associated with your least privilege policies and click Next: Tags.

      The Add tags (optional) page displays. For the purposes of this procedure, we will not add tags.

    4. Click Next: Review.

      The Review page opens.

    5. Type a name for the role, and click Create role.

      The role is added to the list.

    6. From the list, click the name of your new role.

      The Summary page for the role opens. At the top of the page, you will see the Role ARN value.

      ARN values use this format: arn:aws:iam::YourAccountIDHere:role/CloudCheckrRole

    7. Click the Copy icon next to the Role ARN.

  6. Return to the Credentials page for your selected account and perform the following steps:
    1. Paste the Role ARN value in the AWS Role ARN field.

    2. Click Update.
    If you are preparing your account for the first time:

How did we do?