Versions Compared

Old Version 1

changes.mady.by.user Sri Raghu

Saved on

compared with

New Version 2

changes.mady.by.user Sri Raghu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Policy Configuration for AWS Account This section explains the policy configuration for an AWS account which is not an AWS MANAGEMENT ACCOUNTmanagement account.

If you are configuring a third party DNS provider from an AWS account which is not an AWS management account, a specific policy needs to be configured. To create or update the resource-based delegation policies, you need permissions to run the following actions:

...

  1. Log in to the AWS Management Console.
    You must be logged in as an IAM user, assume an IAM role, or logged in as the root user ( not recommended) in the organization’s management account with appropriate permissions that are stated above. For more information, see Safeguard your root user credentials.

  2. Go to the  AWS Organizations Service Console.

  3. Go to Settings.

  4. In the Delegated Administrator for AWS Organizations section, do one of the following:

    • To create the organization's delegation policy, choose Delegate.

    • To update an existing delegation policy, choose Edit.

  5. Type a JSON policy in the JSON editor or copy the below example policy and customize it for your account. Following is an example of a Delegated administrator for AWS Organizations policy:
    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Sid": "DelegatingNecessaryListActionsMultiAcc",
    "Effect": "Allow",
    "Principal": {
    "AWS": [
    "arn:aws:iam::<Parent_account_ID>:root",
    "arn:aws:iam::<Parent_account_ID>::root"
    ]
    },
    "Action": [
    "organizations:ListParents",
    "organizations:DescribeOrganizationalUnit",
    "organizations:DescribeAccount",
    "organizations:ListChildren"
    ],
    "Resource": "*"
    }
    ]
    }

  6. Resolve any security warnings, errors, or general warnings generated during policy validation.

  7. Choose Create policy to save your work.
    This provides the delegated administrator access to the management account.

...

  1. Create a user and attach the policy to the user. 

  2. Create a Role (AssumeRole).

    1. Select AWS Account: This account

    2. Permissions

      1. Attach the policy as specified in the section Permissions required in AWS R53.

      2. Attach AWSOrganizationsReadOnlyAccess to discover accounts.

      3. Attach policy created in this the following section .

    3. Tags (Optional, provide : This is optional. Provide some meaningful tag)tags.

    4. Provide the Role Name.

    5. Create Role.

...

  1. In Trusting/Child account.

    1. IAM Create Role  (AssumeRole)

      1. In Select type of trusted entity, configure the following:

        1. Select AWS Account:Select Another AWS account.

        2. Provide the Account ID of the Trusted/Management account.

      2. Permissions: Configure the following permissions:

        1. Attach Policy: Attach the policy that has permissions required for R53 sync (R53ReadWrite access).

      3. Tags (Optional, provide some meaningful tag).

      4. Provide Role Name: Specify the same name as hereprovided in step 3.d.

      5. Create Role