Skip to main content

Delegating access across AWS accounts

In AWS you can use a role to delegate access to resources that are in different AWS accounts that you own. You share resources in one account with users in a different account. By setting up cross-account access in this way, you do not need to create individual IAM users in each account, and users do not have to sign out of one account and sign into another in order to access resources that are in different AWS accounts.

To learn how to create a role for cross-account access in AWS, visit:

http://docs.aws.amazon.com/IAM/latest/UserGuide/roles-walkthrough-crossacct.html

The following example shows how to set up Bravura Security Fabric for cross-account access to IAM, assuming that you have AWS accounts, AWS1 and AWS2:

  1. Add the target system for AWS1 with the address:

    {Region=USwest2;}

  2. Set the administrator credentials of the AWS1 target system to the key pair Access key ID and Secret Access Key of the administrator of AWS1.

  3. Ensure that the administrator of AWS1 has been granted an AWS role for cross-account access to AWS2.

  4. Add a second target system for AWS2 with the address:

    {Region=USWest2; rolearn=arn:aws:iam::012345678912:role/myRole; }

  5. Set the administrator credentials of the AWS2 target system to the same key pair as in step 2.

  6. Run auto discovery.

    Note

    While using the AWS role, the administrator of AWS1 can only perform the actions and access the resources permitted by the role, but his original user permissions are inactive.

In this section: