By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How do you automate IAM Role Creation in Customers AWS account?

0

I have a use case to automate the creation of IAM role and attaching a Permission policy to it for a Customers( internal ) AWS account( to which we may not have access to ). Any idea on how such automation can be done?

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
Security, Identity, & ComplianceAWS Identity and Access ManagementAWS Organizations
Language
English
rePost-User-1710581
asked 2 years ago563 views
2 Answers
0

If you have no initial access to the AWS Account, the usual approach is for you to generate an AWS CloudFormation template which will create the Role with suitable Policies attached, and pass that to the customer for them to deploy. I'd suggest using tools such as cfn-nag and CloudFormation Guard to ensure your templates are following best practices and your own requirements for least privilege access.

It's a best practice to require an External ID as part of the trust policy.

profile pictureAWS
EXPERT
James_S
answered 2 years ago
0

Check out this github repo where I have tried to build a solution to help you automate user group assignment to permission sets in AWS IAM Identity Center for accessing any or all AWS accounts in your organization via federated access following principles of least privilege- Automated Role Entitlements in AWS IAM Identity Center

profile pictureAWS
Moumita Saha-Security-Specialist
answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content