Cross Account Access

Cross Account Access

Given two accounts, when a user assumes a role into the other account, then the user should see the other account.

Policy

In most cases a managed policy is created for the new role. This example uses an existing AWS managed policy for the sake of brevity.

Cross Account Role

Define a bastion role for managing access in the other account.

Type: AWS::IAM::Role
Properties:
  RoleName: Bastion
  Description: Other Account Bastion
  ManagedPolicyArns:
    - arn:aws:iam:policy/IAMFullAccess

Naming an IAM resource can cause an unrecoverable error if you reuse the same template in multiple Regions. To prevent this, AWS recommends using Fn::Join and AWS::Region to create a Region-specific name, as in the following example: {"Fn::Join": ["", [{"Ref": "AWS::Region"}, {"Ref": "MyResourceName"}]]}.

Assume Administrator Role Policy

In the root account, define a policy for developers that will have permission to assume roles in the other account.

AssumeBastionRole:
  Type: AWS::IAM::ManagedPolicy
  Properties:
    Description: Assume Other Account Bastion Role
    PolicyDocument:
      Version: '2012-10-17'
      Statement:
        - Effect: Allow
          Action: sts:AssumeRole
      Resource: !Join
        - - ":"
          - "arn:aws:iam:"
          - "*"
          - "role/Bastion"
      Condition:
        BoolIfExists:
          aws:MultiFactorAuthPresent: true

Note: This role is restricted to users that have set up Multi-Factor Authentication in the root account.

Group

Define a cross account administrator group in the root account. This group will contain the users responsible for administering the other account.

CrossAccountAdmin:
  Type: AWS::IAM::Group
  Properties:
    GroupName: "CrossAccountAdmin"
    ManagedPolicyArns:
      - !Ref AssumeBastionRole

If you specify a name, you cannot perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name.

Optionally set a PermissionsBoundary to restrict access.

Users

Define the cross account administrator user and assign them to the cross account group.

Type: AWS::IAM::User
Properties:
  UserName: bastion
  Groups:
    - !Ref CrossAccountAdmin
  LoginProfile:
    Password: Ch@ng3me
    PasswordResetRequired: true

Login Profile

Set a fixed value for the password and always require a password reset.

  Password: String
  PasswordResetRequired: Boolean

Switch Roles

To switch roles:

  1. Sign in as the created owner. MFA is required to switch roles
  2. From the top right of the consoles navigation bar, choose your user name
  3. From the "Switch Roles Page", type the account ID and name of the role
  4. Select a color
  5. Choose "Switch Roles"

Failure to select a color will overwrite that profile in the browser.

The display name and color replace the user name on the navigation bar and the permissions have been assumed.

See all posts