If you have multiple AWS accounts and wish to aggregate all your account information when running AWS integrations in Oomnitza, you can set up an IAM user role. This role will provide access across all accounts, allowing for a consolidated view of your information.
This guide will walk you through setting up an IAM user role that grants read-only access to multiple AWS accounts. Once created, this IAM role will enable you to aggregate and view information from multiple AWS accounts when you run the following integrations in Oomnitza:
- AWS Elastic Block Store (EBS) snapshot asset load
- AWS EBS volume asset load
- AWS Elastic Compute Cloud (EC2) asset load
- AWS Identity and Access Manager (IAM) user load
- AWS RedShift asset load
- AWS Relational Database Service (RDS) asset load
- AWS Simple Storage Service (S3) asset load
- AWS WorkSpaces asset load
This feature is exclusively for reading AWS-related information across multiple accounts. It does not support write actions. As a result, it is compatible only with the integrations listed above. The AWS IAM feature is not applicable in workflows, like creating or deleting AWS workflows, where cross-account functionality is not enabled.
Follow the steps below to create this AWS IAM user role so that you can aggregate all your account information in Oomnitza.
Account A: Create a user
Create a user in your management console (Account A).
- Go to AWS Services > IAM > Users> Create User.
- Supply the username. We suggest you set the user to OomnitzaSTSUser.
- Click Next
- Select Add user to group
- Click Next
- Click Create user
Account A: Attach policies to the OomnitzaSTSUser
Attach an inline policy to the OomnitzaSTSUser you created in Account A. The policy will enable the OomnitzaSTSUser to assume the role of Account B. You will need to have the ARN of Account B to hand. You can view your ARN or Account ID in the dropdown menu for your profile or in the summary section of a user's profile.
- Click the OomnitzaSTSUser you just created.
- In the Add permissions dropdown, select Create inline policy.
- In the Service search bar, type STS.
- Select Write: Assume Role.
- In the Resources section, select Add ARN.
- For the Other account selection, enter the ARN of Account B.
- Enter the following role name path: OomnitzaSTSRole.
- Click Add ARNs
- Click Next
- Give your policy a name, for example, OomnitzaSTSPolicy, and create the policy.
The above policy grants the user in Account A the ability to assume the role of Account B
Did you know?
As per the AWS guidelines, the maximum character size limit for managed policies is 6,144. To save space, you can specify multiple resources in a single policy. Follow the example below:
"Resource": [
"arn:aws:iam::<<account_b>>:role/OomnitzaSTSRole",
"arn:aws:iam::<<account_c>>:role/OomnitzaSTSRole"
]
For further information, refer to AWS API Documentation: Specifying multiple resources.
Additional policies
Finally, you need to attach additional policies to the OomnitzaSTSUser that will grant them permissions.
- Open the OomnitzaSTSUser you just created.
- In the Add permissions dropdown, select Add permissions.
- Select Attach policies directly
- Select AWS managed - job function from the Filter by Type list
- Select ReadonlyAccess. ReadonlyAccess is an AWS managed policy that provides read-only access to AWS services and resources.
- Click Next
- Click Add permissions
Note
The AWS ReadonlyAccess policy includes permissions for many common use cases. For example, it has EC2 ("ec2:Describe*" ), AWS Workspace ("workspaces:Describe*" ) and AWS IAM ("iam:List*") permissions. If the permissions you assign are insufficient, the integration will fail with a 403 permissions error.
The AWS IAM cross account role can only be used in integrations. It doesn't support API block workflows. As such, there's no need for additional permissions like create or delete.
Account B: Create a role
Create a role in the account that you would like to connect to, so that the user defined above (Account A) can be given access to other accounts.
Make sure that the account that you would like to connect to contains the resources that you will be fetching using the AWS integration, such as EC2 instances or Workspaces.
- Log in as an admin to the AWS console in the account that you would like to connect or harvest information from, i.e. AccountB.
- Go to AWS Services > IAM > Roles > Create Role.
- Select AWS Account from the list.
- Choose Another AWS account and enter the ARN in which the user OomnitzaSTSUser has been created (Account A).
- Click Next
- Select AWS managed - job function from the Filter by Type list
- Select ReadonlyAccess. ReadonlyAccess is an AWS managed policy that provides read-only access to AWS services and resources.
- Click Next
- Name your role OomnitzaSTSRole. The roles must be named the same in each member account.
- Click Create Role.
- Go to your newly created role and click Trust Relationships>Edit Trust Policy
- Replace
root
withuser/OomnitzaSTSUser
The above trust policy linked to the principal user (Account A). The trust policy defines the principals that you delegate permissions to, or trust to assume the role.
Adding your AWS information to Oomnitza
Follow the steps in Adding your AWS credentials to Oomnitza and create the API credentials of the OomnitzaSTSUser that was created.
Then, when creating an AWS integration, select the Enable Cross-Account checkbox to iterate over all AWS accounts with IAM roles. The data received from all iterated roles will be added as one sync session.
Related Documentation
AWS API Documentation: Assume Role.
AWS API Documentation: Creating an IAM role
AWS API Documentation: Creating an IAM user
AWS API Documentation: Creating IAM policies
Did you know?
You can also perform this action using the AWS CLI. See AWS Security Blog: How to Use a Single IAM User to Easily Access All Your Accounts by Using the AWS CLI
Comments
0 comments
Please sign in to leave a comment.