...
Complete the following steps to create an IAM case:
Create a policy with the following settings:
Choose service: Choose STS.
Actions: Choose AssumeRole (Write Access).
Resources: Configure the following:
Add ARN:
Choose any account.
Specify the Role Name.
Add and Review Policy.
Specify a Name.
Create Policy
{
"Version": "2012-10-17",
...
Create a user and attach the policy to the user.
Create a Role (AssumeRole).
Select AWS Account: This account
Permissions
Attach the policy as specified in the section Permissions required in AWS R53.
Attach AWSOrganizationsReadOnlyAccess to discover accounts.
Attach policy created in the following section.
Tags: This is optional. Provide some meaningful tags.
Role Name: Specify a name for the role.
Click Create Role.
The following steps are required for creating a role with the proper permissions. Complete the followin steps for the Trusting/Child account:
IAM Create Role (AssumeRole)
In Select type of trusted entity, configure the following:
Select AWS Account:Select Another AWS account.
Provide the Account ID of the Trusted/Management account.
Permissions: Configure the following permissions:
Attach Policy: Attach the policy that has permissions required for R53 sync (R53ReadWrite access).
Tags: This is optional. Provide some meaningful tags.
Role Name: Specify the same name as provided in step 3.d.
Click Create Role.