Skip to main content
Skip table of contents

AWS Access Management

Example codes are in Terraform HCL

Configure Master Account

Create a role named Cloud2Spotter into your master account with the following permissions to all resources

JSON 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
              "ce:GetCostForecast",
              "ce:GetCostAndUsage",
              "ce:GetReservationPurchaseRecommendation",
              "ce:GetRightsizingRecommendation",
              "ce:GetSavingsPlansPurchaseRecommendation",
              "ce:GetTags",
              "ce:ListCostAllocationTags",
              "config:ListAggregateDiscoveredResources",
              "iam:ListAccountAliases",
              "organizations:ListAccounts",
              "support:DescribeTrustedAdvisorChecks",
              "support:DescribeTrustedAdvisorCheckSummaries"
            ],
            "Resource": "*"
        }
    ]
}

Configure Config Account

Create a role named Cloud2Spotter into your config account with the following permissions to all resources

JSON 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
              "config:ListAggregateDiscoveredResources",
              "iam:ListAccountAliases",
              "support:DescribeTrustedAdvisorChecks",
              "support:DescribeTrustedAdvisorCheckSummaries"
            ],
            "Resource": "*"
        }
    ]
}

Configure Security Account

Create a role named Cloud2Spotter into your security account with the following permissions to all resources

JSON 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
              "iam:ListAccountAliases",
              "securityhub:GetFindings",
              "support:DescribeTrustedAdvisorChecks",
              "support:DescribeTrustedAdvisorCheckSummaries"
            ],
            "Resource": "*"
        }
    ]
}

Configure Other Accounts

Create a role named Cloud2Spotter into all other accounts with the following permissions to all resources

JSON 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
              "iam:ListAccountAliases",
              "support:DescribeTrustedAdvisorChecks",
              "support:DescribeTrustedAdvisorCheckSummaries"
            ],
            "Resource": "*"
        }
    ]
}

Configure Trust Relationship

Create trust relationship for the role from AWS account of Spotter

JSON 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::730660357973:root"
                ]
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close