AWS Receptor: IAM User - multiple AWS accounts instructions

How to setup the AWS receptor to authenticate using an IAM user with multiple AWS accounts

This page explains just one of your authentication configuration options. See all options for configuring how the Trustero receptor authenticates to AWS.

These instructions explain how to grant the AWS receptor access to multiple AWS accounts to retrieve evidence using an IAM user authentication.

Requirements:

You must use AWS organizations with a management account and multiple member accounts.
If you don't use AWS organizations with a management account and member accounts or you prefer to use multiple receptors, you can setup a receptor per account: AWS Receptor: Single Account Access Instructions.

High-level steps to setup the receptor:

Create the trustero-api-user that is used by the receptor to access the AWS accounts. Pick one of these options:
1. Automated instructions OR
2. Manual instructions
Return to the receptor in Trustero and enter the Access Key Id and Secret Access Key created in step 1.

Read on for full details.

Automated Instructions

These instructions use the AWS CLI and CloudFormation to create the trustero-api-user in multiple AWS accounts.

1. Find the management account's ID

Using the AWS CLI:

aws organizations describe-organization --query 'Organization.MasterAccountId' --output text

2. Create management account's IAM user and policy

CloudFormation template:

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Create an IAM user and attach custom and AWS managed policies.",
  "Resources": {
    "CustomManagedPolicy": {
      "Type": "AWS::IAM::ManagedPolicy",
      "Properties": {
        "ManagedPolicyName": "trustero-crossaccount-policy",
        "PolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Action": "sts:AssumeRole",
              "Resource": "arn:aws:iam::*:role/Trustero-CrossAccountRole"
            }
          ]
        }
      }
    },

    "IAMUser": {
      "Type": "AWS::IAM::User",
      "Properties": {
        "UserName": "trustero-api-user",
        "ManagedPolicyArns": [
          {
            "Ref": "CustomManagedPolicy"
          },
          "arn:aws:iam::aws:policy/ReadOnlyAccess"
        ]
      }
    }
  }
}

3. Create member account IAM role

(repeat for every member account)

When creating the stack from the template below, enter the management account ID from Step 1 into the ManagementAccountId in the Parameters section.

CloudFormation template:

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "CloudFormation template to create an IAM role with ReadOnlyAccess for Trustero receptor in the management account.",
  "Parameters": {
    "ManagementAccountId": {
      "Description": "The AWS Account ID of the management account",
      "Type": "String",
      "AllowedPattern": "\\d{12}",
      "ConstraintDescription": "Must be a 12-digit AWS account ID."
    }
  },

  "Resources": {
    "CrossAccountReadOnlyRole": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "RoleName": "Trustero-CrossAccountRole",
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "AWS": {
                  "Fn::Sub": "arn:aws:iam::${ManagementAccountId}:user/trustero-api-user"
                }
              },
              "Action": "sts:AssumeRole"
            }
          ]
        },
        "ManagedPolicyArns": [
          "arn:aws:iam::aws:policy/ReadOnlyAccess"
        ],
        "Description": "Role to allow cross-account read-only access."
      }
    }
  }
}

4. Create management account user's security credentials

Using the AWS CLI:

aws iam create-access-key --user-name trustero-api-user

Save the Access key ID and the Secret access key so you can provide it to the receptor.

Return to the receptor in the Trustero application to complete activation.

Manual Instructions

These instructions guide you through using the AWS web console to provision access to Trustero's receptor into you AWS accounts.

1. Find the management account's ID	Login into the AWS console and at the top right click the name of the organization The drop down should show the “Account ID” Save this ID to be used in the following steps
2. Create management account IAM policy	Log into the AWS IAM console Select “Policies” from the vertical menu column on the left side of the screen Click “Create Policy” from the Policies page From the “Service” drop down type “STS” to filter and select “STS” In the “Actions allowed,” search for “AssumeRole” and select the check box for AssumeRole Click “Next” to go to “Review and Create” page Enter “trustero-crossaccount-policy” for the policy name and click “Create Policy” From the left side menu click “Policies” Search for the “trustero-crossaccount-policy“ and click to show the “Policy Details” In the “Permissions” tab click “Edit“ In the Json that is presented, change the value for “Resource“ Key to “arn:aws:iam::*:role/Trustero-CrossAccountRole” Click “Next” to go to “Review and Save” page Click “Save”
3. Create management IAM user and assign permissions	Select “Users” from the left side of the screen Select “Add User” Enter “trustero-api-user” in the “User name” field Select “Next” to move to the next step On the “Permissions” page, select “Attach existing policies directly” In the “Search” box under “Permission policies,” enter “ReadOnlyAccess,” and select “AWS managed - job function” in the type drop down menu to the right of the search box Scroll to the very bottom of the policy list and select the “ReadOnlyAccess” policy In the “Search” box, enter "trustero-crossaccount-policy", and select “Customer managed” in the type drop down menu to the right of the search box Scroll to select “trustero-crossaccount-policy” Select “Next” to go to “Review and Create” page Select “Create User” You should be redirected back to the user list page
4. Create member account IAM role (repeat for every member account)	Sign in to the AWS Management Console as an administrator of the member account. Navigate to IAM service. Choose “Roles” from the sidebar and then click “Create role.” Select “AWS account” for the type of trusted entity. Under “Another AWS account”, enter account id of the root management account from step 1.a above Select Next to move to the next step On the “Add Permissions” page, in the search box under Permission policies, enter “ReadOnlyAccess”, and select “AWS managed - job function” in the type drop down menu to the right of the search box Scroll to the very bottom of the Policy list until you see the “ReadOnlyAccess” policy then select the “ReadOnlyAccess” policy Enter “Trustero-CrossAccountRole” as the role name. Review the information, then click “Create role.” Open the newly created role by clicking on “Trustero-CrossAccountRole” Go to “Trust Relationships” and click “Edit Trust Policy” In the JSON shown under “Trusted Entities,” under “Principal” change the value of “AWS” key to read, like the below example (replace 123456789012 with the management account id). Example: “AWS": “arn:aws:iam::123456789012:user/trustero-api-user”
5. Create management account user's security credentials	Select the “trustero-api-user” user from the IAM users list page Select the “Security credentials” tab Select “Create access key” Select “Third-party service,” and check the box for “I understand the above recommendation and want to proceed to create an access key.” Select “Next” and enter a description for the key. Select “Create access key” Save the Access key ID and the Secret access key so you can provide it to the receptor

Return to the receptor in the Trustero application to complete activation.