AWS Access Management
Example codes are in Terraform HCL
Configure Master Account
Create a role named Cloud2Spotter
into your master account with the following permissions to all resources
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": [
"ce:GetCostForecast",
"ce:GetCostAndUsage",
"ce:GetReservationPurchaseRecommendation",
"ce:GetRightsizingRecommendation",
"ce:GetSavingsPlansPurchaseRecommendation",
"ce:GetTags",
"ce:ListCostAllocationTags",
"config:ListAggregateDiscoveredResources",
"iam:ListAccountAliases",
"organizations:ListAccounts",
"support:DescribeTrustedAdvisorChecks",
"support:DescribeTrustedAdvisorCheckSummaries"
],
"Resource": "*"
}
]
}
Configure Config Account
Create a role named Cloud2Spotter
into your config account with the following permissions to all resources
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": [
"config:ListAggregateDiscoveredResources",
"iam:ListAccountAliases",
"support:DescribeTrustedAdvisorChecks",
"support:DescribeTrustedAdvisorCheckSummaries"
],
"Resource": "*"
}
]
}
Configure Security Account
Create a role named Cloud2Spotter
into your security account with the following permissions to all resources
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": [
"iam:ListAccountAliases",
"securityhub:GetFindings",
"support:DescribeTrustedAdvisorChecks",
"support:DescribeTrustedAdvisorCheckSummaries"
],
"Resource": "*"
}
]
}
Configure Other Accounts
Create a role named Cloud2Spotter
into all other accounts with the following permissions to all resources
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": [
"iam:ListAccountAliases",
"support:DescribeTrustedAdvisorChecks",
"support:DescribeTrustedAdvisorCheckSummaries"
],
"Resource": "*"
}
]
}
Configure Trust Relationship
Create trust relationship for the role from AWS account of Spotter
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::730660357973:root"
]
},
"Action": "sts:AssumeRole"
}
]
}