Creating AWS Credentials with CloudFormation

CloudCheckr recommends that customers create AWS credentials using CloudFormation.

This procedure shows you how to use CloudFormation to create an cross-account role that will streamline the credential process and ensure your AWS permissions always stay up-to-date.


  1. Log into your AWS Management Console.
  2. Go to the menu bar, right-click your account name, and select My Billing Dashboard from the fly-out menu.

    The Billing & Cost Management Dashboard opens.

  3. From the dashboard, click Preferences.

    The Preferences page opens.
  4. Verify that the Receive Billing Alerts checkbox is selected. (optional)

  5. Perform the following actions in CloudCheckr:
    1. Launch CloudCheckr.
    2. Select your account from the Accounts List page.
    3. From the left navigation pane, select Account Settings > AWS Credentials.

      The Credentials page opens.

      The Use a Role for Cross-Account Access tab displays by default. It contains instructions on how to use CloudFormation to create a cross-account role.

    4. Copy the external ID value from CloudCheckr.

      Click the Launch CloudFormation Stack link to open the CloudFormation template in the AWS Management Console.

      The Select Template screen in the Create stack wizard opens.

      Under the Specify an Amazon S3 template URL, a link to the related template is provided.

  6. Click Next.
    The Specify Details screen opens.
  7. Type a name for your stack and paste the external ID value from CloudCheckr into the corresponding field in CloudFormation.

    Keep the stack name as short as possible; it gets appended to the Role ARN value later in this procedure, and that value cannot exceed 64 characters.
  8. Scroll down to the Parameters section.

    You will notice the following subsections—Inventory, Billing, Security, and CloudWatch Flow Logs—that represent a policy for a core area of CloudCheckr functionality.

  9. For each of the separate policies, select True or False if you want to include that policy in your template.

    1. For Billing, you have two options:
      • If you are using the DBR: type the name of your S3 bucket where your AWS Detailed Billing Report is located.
      • If you are using the CUR: type the name of your S3 bucket where your AWS Detailed Billing Report is located and type the name of your S3 bucket where your AWS Cost and Usage Report is located.
    2. For Security, type the name of your AWS CloudTrail bucket.
  10. Click Next.

    The Options screen opens. This is an optional step. For the purposes of this procedure, we will not modify these options.

  11. Click Next.

    The Review screen opens.

  12. Scroll down to the Capabilities section, select the I Acknowledge that AWS CloudFormation might create IAM resources check box, and click Create.
    A list of stacks displays.
  13. Select your stack name from the list and click the Resources tab.

  14. Click the Physical ID link for the IAM role.

    The Summary screen opens.
  15. Locate the Role ARN value at the top of the screen and click the Copy icon.

  16. Return to the Credentials page in CloudCheckr, and perform the following actions:
    1. Scroll down to the step that refers to accounts from India.
    2. Select the This account is managed by AISPL checkbox if this is an account from India managed by Amazon Internet Services Pvt. Ltd (AISPL).
    3. Paste the Role ARN value in the AWS Role ARN field.

    4. Click Update.

      Your account will now be populated with proper AWS credentials, which Cloudcheckr will continue to update as AWS releases new features.

How did we do?