Skip to content
English
Contact us Customer portal Sign in
Visit trustero.com
  • There are no suggestions because the search field is empty.

AWS Receptor: IAM User - multiple AWS accounts instructions

How to setup the AWS receptor to authenticate using an IAM user with multiple AWS accounts

This page explains just one of your authentication configuration options. See all options for configuring how the Trustero receptor authenticates to AWS.   

 

These instructions explain how to grant the AWS receptor access to multiple AWS accounts to retrieve evidence using an IAM user authentication. 

 

Requirements:

  • You must use AWS organizations with a management account and multiple member accounts.
  • If you don't use AWS organizations with a management account and member accounts or you prefer to use multiple receptors, you can setup a receptor per account: AWS Receptor: Single Account Access Instructions.

High-level steps to setup the receptor:

  1. Create the trustero-api-user that is used by the receptor to access the AWS accounts. Pick one of these options:
    1. Automated instructions OR
    2. Manual instructions
  2. Return to the receptor in Trustero and enter the Access Key Id and Secret Access Key created in step 1. 

    Read on for full details.

     

    Automated Instructions

    These instructions use the AWS CLI and CloudFormation to create the trustero-api-user in multiple AWS accounts.

    1. Find the management account's ID

    Using the AWS CLI:

    aws organizations describe-organization --query 'Organization.MasterAccountId' --output text

     

    2. Create management account's IAM user and policy

    CloudFormation template:

    {
      "AWSTemplateFormatVersion": "2010-09-09",
      "Description": "Create an IAM user and attach custom and AWS managed policies.",
      "Resources": {
        "CustomManagedPolicy": {
          "Type": "AWS::IAM::ManagedPolicy",
          "Properties": {
            "ManagedPolicyName": "trustero-crossaccount-policy",
            "PolicyDocument": {
              "Version": "2012-10-17",
              "Statement": [
                {
                  "Effect": "Allow",
                  "Action": "sts:AssumeRole",
                  "Resource": "arn:aws:iam::*:role/Trustero-CrossAccountRole"
                }
              ]
            }
          }
        },

        "IAMUser": {
          "Type": "AWS::IAM::User",
          "Properties": {
            "UserName": "trustero-api-user",
            "ManagedPolicyArns": [
              {
                "Ref": "CustomManagedPolicy"
              },
              "arn:aws:iam::aws:policy/ReadOnlyAccess"
            ]
          }
        }
      }
    }

    3. Create member account IAM role

    (repeat for every member account)

    When creating the stack from the template below, enter the management account ID from Step 1 into the ManagementAccountId in the Parameters section.

    CloudFormation template:

    {
      "AWSTemplateFormatVersion": "2010-09-09",
      "Description": "CloudFormation template to create an IAM role with ReadOnlyAccess for Trustero receptor in the management account.",
      "Parameters": {
        "ManagementAccountId": {
          "Description": "The AWS Account ID of the management account",
          "Type": "String",
          "AllowedPattern": "\\d{12}",
          "ConstraintDescription": "Must be a 12-digit AWS account ID."
        }
      },

      "Resources": {
        "CrossAccountReadOnlyRole": {
          "Type": "AWS::IAM::Role",
          "Properties": {
            "RoleName": "Trustero-CrossAccountRole",
            "AssumeRolePolicyDocument": {
              "Version": "2012-10-17",
              "Statement": [
                {
                  "Effect": "Allow",
                  "Principal": {
                    "AWS": {
                      "Fn::Sub": "arn:aws:iam::${ManagementAccountId}:user/trustero-api-user"
                    }
                  },
                  "Action": "sts:AssumeRole"
                }
              ]
            },
            "ManagedPolicyArns": [
              "arn:aws:iam::aws:policy/ReadOnlyAccess"
            ],
            "Description": "Role to allow cross-account read-only access."
          }
        }
      }
    }
    4. Create management account user's security credentials

    Using the AWS CLI:

    aws iam create-access-key --user-name trustero-api-user
    Save the Access key ID and the Secret access key so you can provide it to the receptor.

    Return to the receptor in the Trustero application to complete activation. 

     

    Manual Instructions

    These instructions guide you through using the AWS web console to provision access to Trustero's receptor into you AWS accounts.

    1. Find the management account's ID
    1. Login into the AWS console and at the top right click the name of the organization
    2. The drop down should show the “Account ID”
    3. Save this ID to be used in the following steps
    2. Create management account IAM policy
    1. Log into the AWS IAM console
    2. Select “Policies” from the vertical menu column on the left side of the screen 
    3. Click “Create Policy” from the Policies page
    4. From the “Service” drop down type “STS” to filter and select “STS” 
    5. In the “Actions allowed,” search for “AssumeRole” and select the check box for AssumeRole 
    6. Click “Next” to go to “Review and Create” page
    7. Enter “trustero-crossaccount-policy” for the  policy name and click “Create Policy”
    8. From the left side menu click “Policies” 
    9. Search for the “trustero-crossaccount-policy“ and click to show the “Policy Details”
    10. In the “Permissions” tab click “Edit“
    11. In the Json that is presented, change the value for “Resource“ Key to “arn:aws:iam::*:role/Trustero-CrossAccountRole”
    12. Click “Next” to go to “Review and Save” page
    13. Click “Save”
    3. Create management IAM user and assign permissions
    1. Select “Users” from the left side of the screen
    2. Select “Add User”
    3. Enter “trustero-api-user” in the “User name” field
    4. Select “Next” to move to the next step
    5. On the “Permissions” page, select “Attach existing policies directly”
    6. In the “Search” box under “Permission policies,” enter “ReadOnlyAccess,” and select “AWS managed - job function” in the type drop down menu to the right of the search box
    7. Scroll to the very bottom of the policy list and select  the “ReadOnlyAccess” policy
    8. In the “Search” box, enter "trustero-crossaccount-policy", and select “Customer managed” in the type drop down menu to the right of the search box
    9. Scroll to select “trustero-crossaccount-policy” 
    10. Select “Next” to go to “Review and Create” page
    11. Select “Create User”
    12. You should be redirected back to the user list page

    4. Create member account IAM role

    (repeat for every member account)
    1. Sign in to the AWS Management Console as an administrator of the member account.
    2. Navigate to IAM service.
    3. Choose “Roles” from the sidebar and then click “Create role.”
    4. Select “AWS account” for the type of trusted entity.
    5. Under “Another AWS account”, enter account id of the root management account from step 1.a above
    6. Select Next to move to the next step
    7. On the “Add Permissions” page, in the search box under Permission policies, enter “ReadOnlyAccess”, and select “AWS managed - job function” in the type drop down menu to the right of the search box
    8. Scroll to the very bottom of the Policy list until you see the “ReadOnlyAccess” policy then select the “ReadOnlyAccess” policy
    9. Enter “Trustero-CrossAccountRole” as the role name.
    10. Review the information, then click “Create role.”
    11. Open the newly created role by clicking on “Trustero-CrossAccountRole”
    12.  Go to “Trust Relationships” and click “Edit Trust Policy” 
    13. In the JSON shown under “Trusted Entities,” under “Principal” change the value of “AWS” key to read, like the below example (replace 123456789012 with the management account id). Example: 

    “AWS": “arn:aws:iam::123456789012:user/trustero-api-user” 
    5. Create management account user's security credentials
    1. Select the “trustero-api-user” user from the IAM users list page
    2.  Select the “Security credentials” tab
    3.  Select “Create access key”
    4.  Select “Third-party service,” and check the box for “I understand the above recommendation and want to proceed to create an access key.”
    5.  Select “Next” and enter a description for the key.
    6. Select “Create access key”
    7. Save the Access key ID and the Secret access key so you can provide it to the receptor

    Return to the receptor in the Trustero application to complete activation.