AWS Receptor: Assume Role - multiple AWS accounts instructions

How to setup the AWS receptor to authenticate using assume role with multiple AWS accounts

This page explains just one of your authentication configuration options. See all options for configuring how the Trustero receptor authenticates to AWS.

These instructions explain how to grant the AWS receptor access to multiple AWS accounts to retrieve evidence using assume role authentication.

Requirements:

You must use AWS organizations with a management account and multiple member accounts.

High-level steps to setup the receptor:

Create the Trustero-CrossAccountRole that is used by the receptor to access the AWS accounts. Pick one of these options:
1. Automated instructions OR
2. Manual instructions
Return to the receptor in Trustero and enter the Account Id and an External Id.

Read on for full details.

Automated Instructions

These instructions use the AWS CLI and CloudFormation to create the trustero-api-user in multiple AWS accounts.

1. Find the management account's ID

Using the AWS CLI:

aws organizations describe-organization --query 'Organization.MasterAccountId' --output text

2. Create management account's IAM role and policy

When creating the stack from the template below, enter an External ID account ID in the Parameters section and note it down.

CloudFormation template:

{

 "AWSTemplateFormatVersion": "2010-09-09",

 "Description": "Create an IAM role with a trust relationship to Trustero AWS account using external ID.",

 "Parameters": {

   "ExternalId": {

     "Description": "External ID for cross-account access",

     "Type": "String"

   }

 },

 "Resources": {

   "CustomManagedPolicy": {

     "Type": "AWS::IAM::ManagedPolicy",

     "Properties": {

       "ManagedPolicyName": "trustero-crossaccount-policy",

       "PolicyDocument": {

         "Version": "2012-10-17",

         "Statement": [

           {

             "Effect": "Allow",

             "Action": "sts:AssumeRole",

             "Resource": "arn:aws:iam::*:role/Trustero-CrossAccountRole"

           }

         ]

       }

     }

   },

   "TrusteroCrossAccountRole": {

     "Type": "AWS::IAM::Role",

     "Properties": {

       "RoleName": "Trustero-CrossAccountRole",

       "AssumeRolePolicyDocument": {

         "Version": "2012-10-17",

         "Statement": [

           {

             "Effect": "Allow",

             "Principal": {

               "AWS": "arn:aws:iam::706086165682:root"

             },

             "Action": "sts:AssumeRole",

             "Condition": {

               "StringEquals": {

                 "sts:ExternalId": {

                   "Ref": "ExternalId"

                 }

               }

             }

           }

         ]

       },

       "ManagedPolicyArns": [

         {

           "Ref": "CustomManagedPolicy"

         },

         "arn:aws:iam::aws:policy/ReadOnlyAccess"

       ]

     }

   }

 }

}

3. Create member account IAM role

(repeat for every member account)

When creating the stack from the template below, enter the management account ID from Step 1 into the ManagementAccountId in the Parameters section.

CloudFormation template:

{

 "AWSTemplateFormatVersion": "2010-09-09",

 "Description": "CloudFormation template to create an IAM role with ReadOnlyAccess for Trustero receptor in the management account.",

 "Parameters": {

   "ManagementAccountId": {

     "Description": "The AWS Account ID of the management account",

     "Type": "String",

     "AllowedPattern": "\\d{12}",

     "ConstraintDescription": "Must be a 12-digit AWS account ID."

   }

  },

 "Resources": {

   "CrossAccountReadOnlyRole": {

     "Type": "AWS::IAM::Role",

     "Properties": {

       "RoleName": "Trustero-CrossAccountRole",

       "AssumeRolePolicyDocument": {

         "Version": "2012-10-17",

         "Statement": [

           {

             "Effect": "Allow",

             "Principal": {

               "AWS": {

                 "Fn::Sub": "arn:aws:iam::${ManagementAccountId}:user/trustero-api-user"

               }

             },

             "Action": "sts:AssumeRole"

           }

         ]

       },

       "ManagedPolicyArns": [

         "arn:aws:iam::aws:policy/ReadOnlyAccess"

       ],

       "Description": "Role to allow cross-account read-only access."

     }

   }

 }

}

Return to the receptor in the Trustero application to complete activation.

Manual Instructions

These instructions guide you through using the AWS web console to provision access to Trustero's receptor into you AWS accounts.

1. Find the management account's ID	Login into the AWS console and at the top right click the name of the organization The drop down should show the “Account ID” Save this ID to be used in the following steps
2. Create management account IAM policy	Log into the AWS IAM console Select “Policies” from the vertical menu column on the left side of the screen Click “Create Policy” from the Policies page From the “Service” drop down type “STS” to filter and select “STS” In the “Actions allowed,” search for “AssumeRole” and select the check box for AssumeRole Click “Next” to go to “Review and Create” page Enter “trustero-crossaccount-policy” for the policy name and click “Create Policy” From the left side menu click “Policies” Search for the “trustero-crossaccount-policy“ and click to show the “Policy Details” In the “Permissions” tab click “Edit“ In the Json that is presented, change the value for “Resource“ Key to “arn:aws:iam::*:role/Trustero-CrossAccountRole” Click “Next” to go to “Review and Save” page Click “Save”
3. Create management IAM role and assign permissions	Select “Roles” from the left side of the screen Select “Create role” Select “AWS account” Select “Another AWS account” Enter “706086165682” in “Account ID” text box Select “Require external ID” under “Options” In the “External ID” enter an external identifier and note down the entry Select “Next” to move to the next step On the “Add Permissions” page, in the “Search” box under “Permission policies,” enter “ReadOnlyAccess,” and select “AWS managed - job function” in the type drop down menu to the right of the search box Scroll to the very bottom of the policy list and select the “ReadOnlyAccess” policy In the “Search” box, enter "trustero-crossaccount-policy", and select “Customer managed” in the type drop down menu to the right of the search box Scroll to select “trustero-crossaccount-policy” Select “Next” to go to “Name, review and create” page In the “Role name”, enter “Trustero-CrossAccountRole” Click “Create role”
4. Create member account IAM role (repeat for every member account)	Sign in to the AWS Management Console as an administrator of the member account. Navigate to IAM service. Choose “Roles” from the sidebar and then click “Create role.” Select “AWS account” for the type of trusted entity. Under “Another AWS account”, enter account id of the root management account from step 1.a above Select Next to move to the next step On the “Add Permissions” page, in the search box under Permission policies, enter “ReadOnlyAccess”, and select “AWS managed - job function” in the type drop down menu to the right of the search box Scroll to the very bottom of the Policy list until you see the “ReadOnlyAccess” policy then select the “ReadOnlyAccess” policy Enter “Trustero-CrossAccountRole” as the role name. Review the information, then click “Create role.”

Return to the receptor in the Trustero application to complete activation.