Receptors & Integrations
      Back to home
      1. Trustero Support
      2. Trustero User Guide
      3. Receptors & Integrations

      AWS Receptor: Assume Role - single AWS account instructions

      How to setup the AWS receptor to authenticate using assume role with a single AWS account

      This page explains just one of your authentication configuration options. See all options for configuring how the Trustero receptor authenticates to AWS.   

       

      These instructions explain how to grant the AWS receptor access to a single AWS account to retrieve evidence using assume role authentication. 


      High-level steps to setup the receptor:

      1. Create the Trustero-CrossAccountRole that is used by the receptor to access the AWS accounts. Pick one of these options:
        1. Automated instructions OR
        2. Manual instructions
      2. Return to the receptor in Trustero and enter the Account Id and an External Id. 

      Read on for full details.

      Automated Instructions

      These instructions use the AWS CLI and CloudFormation to create the Trustero-CrossAccountRole

      1. Find the AWS account ID

      Using the AWS CLI:

      aws organizations describe-organization --query 'Organization.MasterAccountId' --output text

       

       

      2. Create IAM role and policy

      When creating the stack from the template below, enter an External ID account ID in the Parameters section and note it down.

      CloudFormation template:

      {

       "AWSTemplateFormatVersion": "2010-09-09",

       "Description": "Create an IAM role with a trust relationship to Trustero AWS account using external ID.",

       "Parameters": {

         "ExternalId": {

           "Description": "External ID for cross-account access",

           "Type": "String"

         }

       },

       "Resources": {

         "CustomManagedPolicy": {

           "Type": "AWS::IAM::ManagedPolicy",

           "Properties": {

             "ManagedPolicyName": "trustero-crossaccount-policy",

             "PolicyDocument": {

               "Version": "2012-10-17",

               "Statement": [

                 {

                   "Effect": "Allow",

                   "Action": "sts:AssumeRole",

                   "Resource": "arn:aws:iam::*:role/Trustero-CrossAccountRole"

                 }

               ]

             }

           }

         },

         "TrusteroCrossAccountRole": {

           "Type": "AWS::IAM::Role",

           "Properties": {

             "RoleName": "Trustero-CrossAccountRole",

             "AssumeRolePolicyDocument": {

               "Version": "2012-10-17",

               "Statement": [

                 {

                   "Effect": "Allow",

                   "Principal": {

                     "AWS": "arn:aws:iam::706086165682:root"

                   },

                   "Action": "sts:AssumeRole",

                   "Condition": {

                     "StringEquals": {

                       "sts:ExternalId": {

                         "Ref": "ExternalId"

                       }

                     }

                   }

                 }

               ]

             },

             "ManagedPolicyArns": [

               {

                 "Ref": "CustomManagedPolicy"

               },

               "arn:aws:iam::aws:policy/ReadOnlyAccess"

             ]

           }

         }

       }

      }

       

      Return to the receptor in the Trustero application to complete activation. 

      Manual Instructions

      These instructions guide you through using the AWS web console to provision access to Trustero's receptor into your AWS accounts.

      1. Find the AWS account ID
      1. Login into the AWS console and at the top right click the name of the organization
      2. The drop down should show the “Account ID”
      3. Save this ID to be used in the following steps

      2. Create account IAM policy
      1. Log into the AWS IAM console
      2. Select “Policies” from the vertical menu column on the left side of the screen 
      3. Click “Create Policy” from the Policies page
      4. From the “Service” drop down type “STS” to filter and select “STS” 
      5. In the “Actions allowed,” search for “AssumeRole” and select the check box for AssumeRole 
      6. Click “Next” to go to “Review and Create” page
      7. Enter “trustero-crossaccount-policy” for the  policy name and click “Create Policy”
      8. From the left side menu click “Policies” 
      9. Search for the “trustero-crossaccount-policy“ and click to show the “Policy Details”
      10. In the “Permissions” tab click “Edit“
      11. In the Json that is presented, change the value for “Resource“ Key to “arn:aws:iam::*:role/Trustero-CrossAccountRole”
      12. Click “Next” to go to “Review and Save” page
      13. Click “Save”

      3. Create IAM role and assign permissions
      1. Select “Roles” from the left side of the screen
      2. Select “Create role”
      3. Select “AWS account”
      4. Select “Another AWS account”
      5. Enter “706086165682” in “Account ID” text box
      6. Select “Require external ID” under “Options”
      7. In the “External ID” enter an external identifier and note down the entry
      8. Select “Next” to move to the next step
      9. On the “Add Permissions” page, in the “Search” box under “Permission policies,” enter “ReadOnlyAccess,” and select “AWS managed - job function” in the type drop down menu to the right of the search box
      10. Scroll to the very bottom of the policy list and select  the “ReadOnlyAccess” policy
      11. In the “Search” box, enter "trustero-crossaccount-policy", and select “Customer managed” in the type drop down menu to the right of the search box
      12. Scroll to select “trustero-crossaccount-policy” 
      13. Select “Next” to go to “Name, review and create” page
      14. In the “Role name”, enter “Trustero-CrossAccountRole”
      15. Click “Create role”

      Return to the receptor in the Trustero application to complete activation.