Skip to content
English
Contact us Customer portal Sign in
Visit trustero.com
  • There are no suggestions because the search field is empty.

AWS Receptor: Assume Role - multiple AWS accounts instructions

How to setup the AWS receptor to authenticate using assume role with multiple AWS accounts

This page explains just one of your authentication configuration options. See all options for configuring how the Trustero receptor authenticates to AWS.   

 

These instructions explain how to grant the AWS receptor access to multiple AWS accounts to retrieve evidence using assume role authentication. 

 

Requirements:

You must use AWS organizations with a management account and multiple member accounts.

High-level steps to setup the receptor:

  1. Create the Trustero-CrossAccountRole that is used by the receptor to access the AWS accounts. Pick one of these options:
    1. Automated instructions OR
    2. Manual instructions
  2. Return to the receptor in Trustero and enter the Account Id and an External Id. 

Read on for full details.

Automated Instructions

These instructions use the AWS CLI and CloudFormation to create the trustero-api-user in multiple AWS accounts.

1. Find the management account's ID

Using the AWS CLI:

aws organizations describe-organization --query 'Organization.MasterAccountId' --output text

 

 

2. Create management account's IAM role and policy

When creating the stack from the template below, enter an External ID account ID in the Parameters section and note it down.

CloudFormation template:

{

 "AWSTemplateFormatVersion": "2010-09-09",

 "Description": "Create an IAM role with a trust relationship to Trustero AWS account using external ID.",

 "Parameters": {

   "ExternalId": {

     "Description": "External ID for cross-account access",

     "Type": "String"

   }

 },

 "Resources": {

   "CustomManagedPolicy": {

     "Type": "AWS::IAM::ManagedPolicy",

     "Properties": {

       "ManagedPolicyName": "trustero-crossaccount-policy",

       "PolicyDocument": {

         "Version": "2012-10-17",

         "Statement": [

           {

             "Effect": "Allow",

             "Action": "sts:AssumeRole",

             "Resource": "arn:aws:iam::*:role/Trustero-CrossAccountRole"

           }

         ]

       }

     }

   },

   "TrusteroCrossAccountRole": {

     "Type": "AWS::IAM::Role",

     "Properties": {

       "RoleName": "Trustero-CrossAccountRole",

       "AssumeRolePolicyDocument": {

         "Version": "2012-10-17",

         "Statement": [

           {

             "Effect": "Allow",

             "Principal": {

               "AWS": "arn:aws:iam::706086165682:root"

             },

             "Action": "sts:AssumeRole",

             "Condition": {

               "StringEquals": {

                 "sts:ExternalId": {

                   "Ref": "ExternalId"

                 }

               }

             }

           }

         ]

       },

       "ManagedPolicyArns": [

         {

           "Ref": "CustomManagedPolicy"

         },

         "arn:aws:iam::aws:policy/ReadOnlyAccess"

       ]

     }

   }

 }

}

 

3. Create member account IAM role

(repeat for every member account)

When creating the stack from the template below, enter the management account ID from Step 1 into the ManagementAccountId in the Parameters section.

CloudFormation template:

{

 "AWSTemplateFormatVersion": "2010-09-09",

 "Description": "CloudFormation template to create an IAM role with ReadOnlyAccess for Trustero receptor in the management account.",

 "Parameters": {

   "ManagementAccountId": {

     "Description": "The AWS Account ID of the management account",

     "Type": "String",

     "AllowedPattern": "\\d{12}",

     "ConstraintDescription": "Must be a 12-digit AWS account ID."

   }

  },

 "Resources": {

   "CrossAccountReadOnlyRole": {

     "Type": "AWS::IAM::Role",

     "Properties": {

       "RoleName": "Trustero-CrossAccountRole",

       "AssumeRolePolicyDocument": {

         "Version": "2012-10-17",

         "Statement": [

           {

             "Effect": "Allow",

             "Principal": {

               "AWS": {

                 "Fn::Sub": "arn:aws:iam::${ManagementAccountId}:user/trustero-api-user"

               }

             },

             "Action": "sts:AssumeRole"

           }

         ]

       },

       "ManagedPolicyArns": [

         "arn:aws:iam::aws:policy/ReadOnlyAccess"

       ],

       "Description": "Role to allow cross-account read-only access."

     }

   }

 }

}

 

Return to the receptor in the Trustero application to complete activation. 

Manual Instructions

These instructions guide you through using the AWS web console to provision access to Trustero's receptor into you AWS accounts.

1. Find the management account's ID
  1. Login into the AWS console and at the top right click the name of the organization
  2. The drop down should show the “Account ID”
  3. Save this ID to be used in the following steps

2. Create management account IAM policy
  1. Log into the AWS IAM console
  2. Select “Policies” from the vertical menu column on the left side of the screen 
  3. Click “Create Policy” from the Policies page
  4. From the “Service” drop down type “STS” to filter and select “STS” 
  5. In the “Actions allowed,” search for “AssumeRole” and select the check box for AssumeRole 
  6. Click “Next” to go to “Review and Create” page
  7. Enter “trustero-crossaccount-policy” for the  policy name and click “Create Policy”
  8. From the left side menu click “Policies” 
  9. Search for the “trustero-crossaccount-policy“ and click to show the “Policy Details”
  10. In the “Permissions” tab click “Edit“
  11. In the Json that is presented, change the value for “Resource“ Key to “arn:aws:iam::*:role/Trustero-CrossAccountRole”
  12. Click “Next” to go to “Review and Save” page
  13. Click “Save”

3. Create management IAM role and assign permissions
  1. Select “Roles” from the left side of the screen
  2. Select “Create role”
  3. Select “AWS account”
  4. Select “Another AWS account”
  5. Enter “706086165682” in “Account ID” text box
  6. Select “Require external ID” under “Options”
  7. In the “External ID” enter an external identifier and note down the entry
  8. Select “Next” to move to the next step
  9. On the “Add Permissions” page, in the “Search” box under “Permission policies,” enter “ReadOnlyAccess,” and select “AWS managed - job function” in the type drop down menu to the right of the search box
  10. Scroll to the very bottom of the policy list and select  the “ReadOnlyAccess” policy
  11. In the “Search” box, enter "trustero-crossaccount-policy", and select “Customer managed” in the type drop down menu to the right of the search box
  12. Scroll to select “trustero-crossaccount-policy” 
  13. Select “Next” to go to “Name, review and create” page
  14. In the “Role name”, enter “Trustero-CrossAccountRole”
  15. Click “Create role”

4. Create member account IAM role

(repeat for every member account)
  1. Sign in to the AWS Management Console as an administrator of the member account.
  2. Navigate to IAM service.
  3. Choose “Roles” from the sidebar and then click “Create role.”
  4. Select “AWS account” for the type of trusted entity.
  5. Under “Another AWS account”, enter account id of the root management account from step 1.a above
  6. Select Next to move to the next step
  7. On the “Add Permissions” page, in the search box under Permission policies, enter “ReadOnlyAccess”, and select “AWS managed - job function” in the type drop down menu to the right of the search box
  8. Scroll to the very bottom of the Policy list until you see the “ReadOnlyAccess” policy then select the “ReadOnlyAccess” policy
  9. Enter “Trustero-CrossAccountRole” as the role name.
  10. Review the information, then click “Create role.”

Return to the receptor in the Trustero application to complete activation.