Create a Cross-Account Role Using CloudFormation – Old Console

AWS has rolled out a new CloudFormation console. If you prefer to use the old console, please follow the instructions in this topic and make sure that you are using the old console in CloudFormation.

A cross-account role allows you to share resources across AWS accounts. Since your cross-account role works globally, you don't need IAM users to sign in and out of accounts to access these resouces.

The CloudFormation template is an alternative to creating a cross-account role manually. It is a JSON file pre-configured with all the parameters and provisions you need to access your AWS reources across multiple accounts in your cloud environment. This template allows AWS to standardize permissions across your deployment automatically.

To create a cross-account role using the CloudFormation template, complete these steps:

  • In AWS: use the template to identify the functionality that you want your cross-account role to have access to and locate your role's ARN value.
  • In CloudCheckr: apply the ARN value to credential your cross-acount role.


  1. Perform the following steps in the AWS Management Console:
    1. Log in to the AWS Management Console.
    2. From the menu bar, right-click your account name, and select My Billing Dashboard from the fly-out menu.

      The Billing & Cost Management Dashboard opens.

    3. From the dashboard, click Billing Preferences.

      The Preferences page opens.

    4. Verify that the Receive Billing Alerts checkbox is selected. (optional)

  2. Perform the following steps in CloudCheckr:
    1. Launch CloudCheckr.
    2. Select your account from the Accounts List page. If you have not created a CloudCheckr account, go to the Create an Account in CloudCheckr topic.
    3. From the left navigation pane, select Account Settings > AWS Credentials. The Credentials page opens.

      The Use a Role for Cross-Account Access tab displays, and provides instuctions how to use CloudFormation to create your role.
    4. Click the Launch CloudFormation Stack link.

      The Create stack wizard opens in AWS.

      CloudFormation associates your stack with the template URL that contains all the necessary parameters and provisions.

  3. Under Details, type a name for your stack.
    Keep the stack name as short as possible; it gets appended to the Role ARN value later and that value cannot exceed 64 characters.
  4. Scroll down to the Parameters section.

    CloudFormation autopopulates the CloudCheckr Account and CloudCheckr External ID with the values associated with your AWS account.

  5. Under Account Type, leave the default setting, Standard, since you are creating a cross-account role for a commercial account.

  6. Scroll down to the Inventory, Billing, Security, and CloudWatch Flow Logs sections. This is where you will determine which functional areas of CloudCheckr your cross-account role can access:

    • Cost
    • Billing
    • Security/Compliance
    • Inventory
    • CloudTrail
    • CloudWatch Flow Logs
    1. From the InventoryAndUtilization drop-down menu, select True or False to indicate if you want to include Inventory permissions in your stack.
    2. In the Billing section:
      • From the from the CostPermissions drop-down menu, select True or False to indicate if you want to include the Cost and Billing permissions in your stack.
      • If you are using the DBR: In the BillingBucket field, type the name of your S3 bucket where AWS stores your DBR.
      • If you are using the CUR: In the CurBucket field, type the name of your S3 bucket where AWS stores your CUR.
    3. In the Security section:
      • From the from the Security drop-down menu, select True or False to indicate if you want to include the Security and CloudTrail permissions in your stack.
      • In the CloudTrail Bucket field, type the name of your S3 bucket where AWS stores your CloudTrail data.
    4. From the CloudWatchFlowLogs drop-down menu, select True or False to indicate if you want to include the CloudWatch Flow Logs permissions in your stack.

  7. Scroll down to the Capabilities section, select the I Acknowledge that AWS CloudFormation might create IAM resources check box, and click Create.

    The next screen displays your stack status, which changes from CREATE_IN_PROGRESS to CREATE_COMPLETE once AWS finishes creating the stack.
  8. Click Resources.

  9. Click the Physical ID link for the IAM role.

    The Summary screen opens.

  10. Locate the Role ARN value at the top of the screen and click the Copy icon.

  11. Return to the Credentials page for your selected account in CloudCheckr and perform the following actions:
    1. Paste the Role ARN value in the AWS Role ARN field.
    2. Click Update.

      You now have a cross-account role that will allow you to access the resources in other AWS accounts based your selected permissions.

      If you are performing this step as part of your initial account preparation, continue to the next step: Enable Tags for Cost Report.

    Policy Structure Notes

    Click each button to review the exceptions to our default policy structure.

    CloudCheckr will attempt to ingest data from all of the AWS core features to populate the Cost, Billing, Security, Inventory, and CloudWatch Flow Log reports. Since CloudCheckr must make calls even to those categories where you have not enabled permissions, you will see Unauthorized Access attempts in your CloudTrail logs. These logs are only an indication of the CloudCheckr workflow and in no way reflect an attempt on the part of CloudCheckr to collect unauthorized information from customers.

    To help you maintain a secure, least privilege configuration, CloudCheckr's Security/Compliance policy does not include any s3:GetObject permissions. However, you can add add the s3:GetObject permission to the following reports:

    • S3 Encryption Details report: enables CloudCheckr scan your encrypted S3 buckets.

      We recommend restricting this permission to only selected S3 bucket(s).

    • List of VPCs report: enables CloudCheckr to ingest data from the Elastic Beanstalk applications for this report.

      The default Security/Compliance policy will only display 0 as the number of Elastic Beanstalk applications within a VPC.

    As per the latest AWS requirements, CloudCheckr's CloudFormation template and the Inventory policy do not include the s3:GetEncryptionConfiguration by default.

    However, without this permission, CloudCheckr cannot get the information it needs to report on the S3 Bucket Without Default Encryption Enabled Best Practice Check (BPC). If you decide not to add this permission to your policy, we recommend that you ignore or disable this BPC to avoid any false negatives.

How did we do?