Associating Cloudivize to your AWS Account

Cross-Account IAM Role for Access Management

To create a role in the owning account to be managed by Cloudivize, follow these steps 

Cloudivize Authentication

 

Create IAM Role

  • Sign in to the AWS Management Console as an administrator of the billing owner account, and open the IAM console

  • In the navigation pane on the left, choose Roles and then choose Create role

  • Choose the Another AWS Account role type

  • For Account ID, type Cloudivize account ID 620488116841

  • Copy the External ID generated at Cloudivize (or use any ID you want) and past it to the External ID

  • Choose Next: Permissions to set the permissions policies you want to associated with the role and grant access to Cloudivize. You can selected from the Managed Polices or Create your own custom Policy, see Create Policy later.

    • You don't know what to select? consider associating "AdministratorAccess" Policy until you learn how to control permissions. You can change it at any time later.

  • Give the role a name you want and Create role.

Tip: if your organization managing users and roles using AWS SSO, you can configure Cloudivize to use AWS SSO directly without providing IAM Role. See Single-Sign-On Configuration

For Cloudivize, copy the role ARN to Cloudivize Account Settings together with the External ID you provided at the IAM Role level. If you defined the role correctly, you will get the green-glow on the relevant text boxes.

This will complete the association between Cloudivize to your AWS Account.

 

Create Custom Policy

  • In the navigation pane on the left, choose Policies and then choose Create policy

  • You have three options:

  1. can use the Access Analyzer, and define the services, actions and roles you want Cloudivize to view and allow you to manage 

  2. Switch to ​JSON tab and past the policy you prepared. AWS Policy Generator will be a good place to start with

  3. You don't have enough experience with IAM Roles syntax? you can use the following full access 

 

    {

            "Version": "2012-10-17",

            "Statement": [

                       {

                               "Effect": "Allow",

                               "Action": "*",

                               "Resource": "*"

                       }

             ]

     }

  • On the Review page, give this policy a name you want. Review the policy Summary to see the permissions granted by your policy, and then choose Create policy to save your work

 

Mandatory Required Policies

Using IAM Role to associate Cloudivize to your AWS account, gives you the control the level of access to your AWS assets. You can provide a Role/Policy that allows or denies any AWS services, any type, even any specific asset.

Cloudivize needs the following mandatory policies to work properly:

  • sts:AssumeRole

  • cur:DescribeReportDefinitions

  • ec2:DescribeAccountAttributes

  • ec2:DescribeRegions

  • iam:GetAccountSummary

Without these policies, Cloudivize will not be able to connect to your AWS account, and will show the Access Denied error.

If you provide an IAM Role just with these polices you will see only regions with no assets inside, and you will miss the value you can get from Cloudivize.

Remember, if you don’t allow "Read" or "List" Actions on specific AWS service you will not see it at your view. And if you don’t allow the “Write” & "Tagging" Actions you will not be able to change asset properties, nor to operate those assets. 

Important Notes:

  1. You can choose to start using Cloudivize with the Read Only policy (Managed or inline) attached to IAM. Just notice that you will not be able to edit attributes of your assets nor act on it until allowing those actions at your attached policy

    • The managed Policy ​"ReadOnlyAccess" will be a good start. You can find it at the list of managed policies.

  2. If you still face any difficulties, please refer to AWS troubleshooting documentation

Updating External ID at Existing IAM Role

  1. At AWS Management Console, select the role.

  2. Open Trust Relationships tab and click Edit Trust Relationship 

  3. Add Condition with ExternalId to the opened policy, as shown here

 

    {

            "Version": "2012-10-17",

            "Statement": [

                       {

                               "Effect": "Allow",

   "Principal": {
        "AWS":
<Account Root>
        ]
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId":
<External ID>

        }
      }

                       }

             ]

     }

Depreciation Note: the old “Access Key & Secret Key“ credentials mode is not supported anymore (staring from release 1.5), as it less recommended by AWS and less secured

  • White Twitter Icon

Copyright © Cloudivize Technologies LTD. 2020. All Rights Reserved

See & Operate Cloud Like Never Before