Creating AWS Credentials with CloudFormation

A cross-account role allows you to share resources from one AWS account with users in other AWS accounts. This means that you do not have to create individual IAM users for each account. Even better—users do not have to sign out of one account and sign into another account to access that account's resources because your cross-account role works globally across your AWS accounts.

The CloudFormation template is an alternative to creating a cross-account role manually. It is a JSON file pre-configured with all the parameters and provisions you need to access your AWS reources across multiple accounts in your cloud environment. Using the template ensures that permissions are standardized across your deployment automatically.

To create a cross-account role using the CloudFormation template, you will need to complete these steps:

  • In AWS: you will use a template to identify the AWS functionality that you want your cross-account role to have access to and locate the ARN value of your new role.
  • In CloudCheckr: you will apply the ARN value to finish credentialing your cross-acount role.


  1. Log into your AWS Management Console.
  2. Go to the menu bar, right-click your account name, and select My Billing Dashboard from the fly-out menu.
    The Billing & Cost Management Dashboard opens.

  3. From the dashboard, click Billing Preferences.

    The Preferences page opens.

  4. Verify that the Receive Billing Alerts checkbox is selected. (optional)

  5. Perform the following actions in CloudCheckr:
    1. Launch CloudCheckr.
    2. Select your account from the Accounts List page.
    3. From the left navigation pane, select Account Settings > AWS Credentials.

      The Credentials page opens.

      The Use a Role for Cross-Account Access tab displays by default. It contains instructions on how to use CloudFormation to create a cross-account role.
  6. Click the Launch CloudFormation Stack link to open the CloudFormation template in the AWS Management Console.

    The Create stack wizard opens.

    CloudFormation associates your stack with the template URL that contains all of the parameters and provisions.

    CloudFormation also autopopulates the CloudCheckr account (ExternalAccount) and CloudCheckr External ID (ExternalID) with the values associated with your AWS account. CloudFormation will use these values to create your cross-account (IAM) role.

  7. Under Details, type a name for your stack.
    Keep the stack name as short as possible; it gets appended to the Role ARN value later in this procedure, and that value cannot exceed 64 characters.
  8. Scroll down to the Parameters section.

    The subsections—Inventory, Billing, Security, and CloudWatch Flow Logs—are associated with the permissions for each core area of functionality within CloudCheckr:

    • Cost
    • Billing
    • Security/Compliance
    • Inventory
    • CloudTrail
    • CloudWatch Flow Logs
  9. In the Inventory subsection: select True or False from the InventoryAndUtilization drop-down menu to indicate if you want the Inventory permissions included in your CloudFormation stack.
  10. In the Billing subsection:
    • Select True or False from the from the CostPermissions drop-down menu to indicate if you want the Cost and Billing permissions included in your CloudFormation stack.
    • If you are using the DBR: In the BillingBucket field, type the name of your S3 bucket where your DBR is stored.
    • If you are using the CUR: In the CurBucket field, type the name of your S3 bucket where your CUR is stored.
  11. In the Security subsection:
    • Select True or False from the from the Security drop-down menu to indicate if you want the Security and CloudTrail permissions included in your CloudFormation stack.
    • In the CloudTrail Bucket field, type the name of your S3 bucket where your CloudTrail data is stored.
  12. In the CloudWatch Flow Logs subsection, select True or False from the from the CloudWatchFlowLogs drop-down menu to indicate if you want the CloudWatch Flow Logs permissions included in your CloudFormation stack.
  13. Scroll down to the Capabilities section, select the I Acknowledge that AWS CloudFormation might create IAM resources check box, and click Create.

    The next screen displays details about your new CloudFormation stack.

    At first, the staus indicates CREATE_IN_PROGRESS but changes to CREATE_COMPLETE once the stack is finalized.

  14. Click Resources.

    Details about your policies and IAM role display.

  15. Click the Physical ID link for the IAM role.

    The Summary screen opens.

  16. Locate the Role ARN value at the top of the screen and click the Copy icon.
  17. Return to the Credentials page in CloudCheckr and perform the following actions:
    1. Scroll down to the step that refers to accounts from India.
    2. Select the This account is managed by AISPL checkbox if this is an account from India managed by Amazon Internet Services Pvt. Ltd (AISPL).
    3. Paste the Role ARN value in the AWS Role ARN field.
    4. Click Update.

      You now have a cross-account role that will allow you to access the resources in other AWS accounts. The functionality you can access depend on which permissions you selected during the creation of your CloudFormation stack.

How did we do?