Associating Cloudivize to your AWS Account

Cross-Account IAM Role for Access Management

To create a role in the owning account to be managed by Cloudivize, follow these steps 

Defining AWS Credentials

 

Tip: if your organization managing users and roles using AWS SSO, you can configure Cloudivize to use AWS SSO directly without providing IAM Role. See Single-Sign-On Configuration

Create IAM Role

  • Sign in to the AWS Management Console as an administrator of the billing owner account, and open the IAM console

  • In the navigation pane on the left, choose Roles and then choose Create role

  • Choose the Another AWS Account role type

  • For Account ID, type Cloudivize account ID 620488116841

  • Copy the External ID generated at Cloudivize (or use any ID you want) and past it to the External ID

  • Choose Next: Permissions to set the permissions policies you want to associated with the role and grant access to Cloudivize. You can selected from the Managed Polices or Create your own custom Policy, see Create Policy later.

    • You don't know what to select? consider associating "AdministratorAccess" Policy until you learn how to control permissions. You can change it at any time later.

  • Give the role a name you want and Create role.

For Cloudivize, copy the role ARN to Cloudivize Account Settings together with the External ID you provided at the IAM Role level. If you defined the role correctly, you will get the green-glow on the relevant text boxes.

This will complete the association between Cloudivize to your AWS Account.

 

Create Custom Policy

  • In the navigation pane on the left, choose Policies and then choose Create policy

  • You have three options:

  1. can use the Access Analyzer, and define the services, actions and roles you want Cloudivize to view and allow you to manage 

  2. Switch to ​JSON tab and past the policy you prepared. AWS Policy Generator will be a good place to start with

  3. You don't have enough experience with IAM Roles syntax? you can use the following full access 

 

    {

            "Version": "2012-10-17",

            "Statement": [

                       {

                               "Effect": "Allow",

                               "Action": "*",

                               "Resource": "*"

                       }

             ]

     }

  • On the Review page, give this policy a name you want. Review the policy Summary to see the permissions granted by your policy, and then choose Create policy to save your work

 

Cloudivize usage for the provided IAM Role

Using IAM Role to associate Cloudivize to your AWS account, gives you full control over the level of access to your AWS assets. You can provide a IAM Role Policy that allows or denies any AWS services, any type, even any specific asset.

 

Cloudivize uses your IAM Role Policy to pull assets information from your account (for constructing your visual view) by assuming role to your AWS account.

The more permission you allow via the IAM Policy (attached to the IAM Role), the more asset types you see and be able to operate.

Important: it should be noted, if you defining inline policy for selective AWS services, the following policies should be included at your Policybeside the other policies:

  • sts:AssumeRole

  • cur:DescribeReportDefinitions

  • ec2:DescribeAccountAttributes

  • ec2:DescribeRegions

  • iam:GetAccountSummary

Without these policies, Cloudivize will not be able to connect to your AWS account at all, and will show the Access Denied error.

If you provide an IAM Policy just with these polices, you will not be able to see any assets (beside empty regions), and you will miss the value you can get from Cloudivize.

Remember, if you don’t allow "Read" or "List" Actions on specific AWS service you will not see it at your view. And if you don’t allow the “Write” & "Tagging" Actions you will not be able to change asset properties, nor to operate those assets. 

Important Notes:

  1. You can choose to start using Cloudivize with the Read Only policy (Managed or inline) attached to IAM. Just notice that you will not be able to edit attributes of your assets nor act on it until allowing those actions at your attached policy

    • The managed Policy ​"ReadOnlyAccess" will be a good start. You can find it at the list of managed policies.

  2. If you still face any difficulties, please refer to AWS troubleshooting documentation

for more information please refer to AWS documentation here

Updating External ID at Existing IAM Role

  1. At AWS Management Console, select the role.

  2. Open Trust Relationships tab and click Edit Trust Relationship 

  3. Add Condition with ExternalId to the opened policy, as shown here

 

    {

            "Version": "2012-10-17",

            "Statement": [

                       {

                               "Effect": "Allow",

   "Principal": {
        "AWS":
<Account Root>
        ]
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId":
<External ID>

        }
      }

                       }

             ]

     }

Depreciation Note: the old “Access Key & Secret Key“ credentials mode is not supported anymore (staring from release 1.5), as it less recommended by AWS and less secured

  • White Twitter Icon

Copyright © Cloudivize Technologies LTD. 2020. All Rights Reserved

See & Operate Cloud Like Never Before