AWS Cross Account Access

[Part 02 — Access between two AWS Accounts]

In the Part 01 of the AWS cross account access blog series, I discussed the cross account access between AWS accounts within an AWS organizational hierarchy.

In this blog article, I will be concentrating on the other aspect of cross account switching, which is role switching between two AWS accounts.

Scenario : You are required to have two AWS accounts (Account A and Account B) with ROOT user access. A user from AWS Account A should be able to access Account B resources (Lets say ReadOnlyAccess))

Step 1: Sign-in to Account A and create an IAM user (“userA”) with required permissions.

Step 2: Create an IAM Group and create two policies and attach them to the group.

Adding the AWS Managed Policy — With ReadOnlyAccess (See Figure 01)

Figure 01 — Attaching the ReadOnlyAccess

Adding the In-line Policy — With AssumeRole

Once the ReadOnlyAccess managed policy is attached, click the group and add the in-line policy by clicking the link, which is under Inline Policies tab (See Figure 02).

Figure 02 — Attaching the Inline Policy

Once you click the above link, you will see a Policy Generator page is appeared.

Click the “Select” button under the Policy Generator, you will see the following figure (Figure 03).

Figure 03 — Adding In-line Policy

Click “In-line Policy” and use the Policy Editor to add STS Assume Role to the Inline policy.

Select the following parameters while creating the in-line permissions

• Select Policy Generator → Effect = “Allow” → AWS Service = “AWS STS” → Actions = “AssumeRole” → ARN = “*” → Click “Add Statement” → Click “Next Step” → Click “Apply Policy”

Once both policies are created, the group policies can be listed as below (See Figure 04).

Figure 04 — After attaching both AWS Managed and In-line Policy

Click “Show Policy” under Inline Policies to check the the in-line policy we added. (See Figure 05).

Figure 05 — UserA inline policy

Now you are required to add the user that you have created to the above IAM group in order to apply the required permissions to the user that we have chosen (See Figure 06).

Figure 06 — Adding the user to the new group

Step 3 : Sign-in to Account B and create a Role (This is to connect Account A users to Account B).

Go to IAM → Select “Roles” → Click “Create Role” → Select “Another AWS Account” → Enter the 12-digit account ID (This is the Account ID of AWS Account A)→ Click “Next” and add permissions (Here you can add “ReadOnlyAccess”) → Click “Next” and give a “Role Name” and a “Description” (RoleName = “SecurityReadOnlyRole”)

Go back to “Roles” and see the newly created Role and its Permissions and Trust Relationships. Under Permissions you can see “ReadOnlyAccess” and under “Trust Relationship” you can see (See Figure 07 to see the edited relationshop) the Trusted AWS account (Account A — Account ID)

Figure 07 — Trust Relationship with Account A

The above configuration confirms that any user from Account A can access Account B resources on the “ReadOnly” mode.

However, if we want to restrict this access to only UserA in Account A, we should be able to do that by changing the above in-line policy by replacing the user name to “UserA” (See Figure 08).

Figure 08 — Restricted in-line policy for userA

Step 4: Now it is the time to login to “userA” in AWS Account A.

Step 5: Go to “Switch Role” and enter the following details:

• Account ID (Account ID of AWS Account B)
• Role (“SecurityReadOnlyRole”)
• Display Name and Color can be anything you like

Figure 09— Switching to Account B from Account A

If all okay, you will be logged into Account B without using username/ password credentials and it is purely on the roles defined.

If you want, you can always go back to Account A and vice versa.

References

1. AWS Cross Account Access — Part 01 : https://crishantha.medium.com/aws-cross-account-access-70c5b2fac543