How to grant cross-account AWS access to Utoolity

You want to grant Utoolity access to your AWS account(s) so that it will be easier to assess configuration details, assist with resp. best practice advise regarding security and cost governance, and of course implement/discuss/optimize the collaboration goals in peering sessions down the road.

Step-by-step guide

This requires an IAM role which (only) Utoolity can assume so that we can gain cross-account access to your AWS account. The IAM role in turn facilitates one or more managed IAM policies to govern which specific permissions are granted. To ease getting started, we will reuse the official arn:aws:iam::aws:policy/job-function/ViewOnlyAccess policy at first and can replace it with something more tailored as we go. To account for the use case at hand, the embedded 'CostAudit' and 'SecurityAudit' policies also need to be enabled via the resp. parameters.

In order to provision this IAM role as infrastructure as code via an AWS CloudFormation template, you'll need to create a CloudFormation stack from our cross-account-access.yaml template with a name of your choosing:

  1. To achieve this, you can either log into the AWS Management Console, switch to the AWS region were you want to create the stack, and then click on this partially pre-configured 

    URL, or you can create a stack manually via one of the following approaches:

    For the manual approach, when asked to "Specify an Amazon S3 template URL" on the console, please reference the URL of our cross-account-access.yaml template.
    For all approaches, please ignore the optional 'External ID' parameter, which is only required for advanced usage scenarios at scale (read more, if you are curious).

  2. Supply the following parameters:

    1. Stack name (rename as you see fit): cross-account-access-utoolity

    2. ID of trusted partner account (ask): <our collaboration account>

    3. (Optional) External ID (ignore):

    4. Grant cost audit permissions (review): true

    5. Grant security audit permissions (review): true

    6. Managed IAM policy ARNs (review): arn:aws:iam::aws:policy/job-function/ViewOnlyAccess

    7. Require MFA (keep): true

  3. Finally you'll also need to acknowledge that the template creates IAM resources.

  4. The stack creates an output 'CrossAccountRoleArn' - please report this back to Utoolity so that we can assume the provisioned role to gain access to your AWS account based on the selected policy (i.e. likely ViewOnlyAccess right now, to be adjusted as we go).