Versions Compared

Old Version 1

changes.mady.by.user Jyothi KP

Saved on

compared with

New Version Current

changes.mady.by.user Jyothi KP

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

To import the Route 53 DNS or, starting from NIOS 9.0.4, the vDiscovery data from multiple accounts of an AWS organization to a single member in NIOS, you must set up the AWS environment as discussed in this topic. For more details, refer to the AWS documentation.

...

IAM users or roles from one AWS account can be set up to assume a role configured in another AWS account to pull the Route 53 or vDiscovery data from those accounts. The account that can assume a role is a trusted account and the accounts that allow their roles to be assumed are trusting accounts. You must set up the management (or a parent account) as the trusted account and its members (or child accounts) as trusting accounts.

...

Table of Contents
minLevel1
maxLevel6
outlinefalse
typelist
printablefalse

Providing the Delegated Organization Admin Access to the Management Account

You can create a delegation policy for the specified member accounts of an AWS organization for them to perform policy actions that are by default available only to the management account.
To create or update the resource-based delegation policies, you need permissions to run the following actions:

...

  1. Log in to the AWS Management Console.
    You must be logged in as an IAM user, assume an IAM role, or logged in as the root user (not recommended) in the organization’s management account with appropriate permissions that are stated above.

  2. Go to the AWS Organizations Service Console.

  3. Go to Settings.

  4. In the Delegated Administrator for AWS Organizations section, do one of the following:

    • To create the organization's delegation policy, choose Delegate.

    • To update an existing delegation policy, choose Edit.

  5. Type a JSON policy in the JSON editor or copy the below example policy and customize it for your account.
    Example of a “Delegated administrator for AWS Organizations” policy:

    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Sid": "DelegatingNecessaryListActionsMultiAcc",
    "Effect": "Allow",
    "Principal": {
    "AWS": [
    "arn:aws:iam::<Parent_account_ID>:root",
    "arn:aws:iam::<Parent_account_ID>::root"
    ]
    },
    "Action": [
    "organizations:ListParents",
    "organizations:DescribeOrganizationalUnit",
    "organizations:DescribeAccount",
    "organizations:ListChildren"
    ],
    "Resource": "*"
    }
    ]
    }

  6. Resolve any security warnings, errors, or general warnings generated during policy validation.

  7. Choose Create policy to save your work.
    This provides the delegated administrator access to the management account.

Setting up the Management Account

Set up the management account for the assume role action. Depending on the method you want to use to authenticate the connection between NIOS and AWS, follow the steps in the appropriate section.

If Using IAM Credentials for Authentication

When you use IAM credentials to authenticate the connection between NIOS and AWS, complete the following steps to set up the management account:

  1. In the AWS Management Console home page, search for and click IAM.

  2. Create a policy:

    1. In the left navigation panel, expand Access management and click Policies.

    2. Click the Create policy button.

    3. Under Select a service, choose STS as the service.

    4. Under Actions allowed > Manual actions tab, expand Write and select AssumeRole as the action to ensure that you have write access to the role.

    5. Under Resources > role > click Add ARN and complete the following in the Specify ARNs dialog box:

      1. Select Any account to make all child accounts under this management account discoverable.

      2. In the ARN field, specify a role name.
        You must ensure to use the same role name in the member accounts for the delegation to work.

      3. Click Add ARNs.

    6. On the Review and create page, specify a Policy name. Add and review the policy.

    7. Click Create policy.

  3. Create an IAM user:
    On the Identity and Access Management page, create a user and attach the policy that you created in the previous step to the user (IAM user used for the Route53 syncdata synchronization of Rout 53 or vDiscovery).

    1. In the left navigation panel, expand Access management and click Users.

    2. Click the Add users button.

    3. On the Specify User details page, specify a name in the User name field and click Next.

    4. On the Set permissions page:

      1. Select Attach policies directly.

      2. Search for the policy that you created in the previous step and select it.

      3. Click Next.

    5. Click Create user.

  4. Create a role:

    1. In the left navigation panel, expand Access management and click Roles.

    2. Click the Create role button.

    3. On the Select trusted entity page:

      1. Select the entity type as AWS account.

      2. Select This account for the account to trust itself.

      3. Click Next.

    4. On the Add Permissions page:

      1. Select the policy that you created in a prior step.

      2. Additionally, add the following permissions:

        • AmazonRoute53ReadOnlyAccessAWSOrganizationsReadOnlyAccess: Provides read-only access to read the the information about AWS organizations.

        • For the synchronization of Route 53 data .only:AWSOrganizationsReadOnlyAccess

          • AmazonRoute53ReadOnlyAccess: Provides

          read-only

          • access to

          the information about AWS organizations.

          • read the Route 53 data.

        • For the synchronization of vDiscovery data only:

          • iam:GetUser

          • ec2:DescribeVpcs

          • ec2:DescribeSubnets

          • ec2:DescribeRouteTables

          • ec2:DescribeAddresses

          • ec2:DescribeNetworkInterfaces

          • ec2:DescribeInstances

      3. Click Next.

    5. (Optional) Specify a meaningful tag.

    6. In the Role name field, specify the ARN that you entered when creating the policy in Step 2.

    7. Click Create Role.

If Using Instance Profiles for Authentication

When you use an instance profile to authenticate the connection between NIOS and AWS, complete the following steps to set up the management account:

...

  1. In the AWS Management Console home page, search for and click IAM.

  2. Create a policy:
    Follow steps described in the If Using IAM Credentials for Authentication section to create a policy.

  3. Add a role to the instance profile.

    1. In the left navigation panel, expand Access management and click Roles.

    2. Click the Create role button.

    3. On the Select trusted entity page:

      1. Select the entity type as AWS service.

      2. Select EC2 for the vNIOS instance to call the AWS service.

      3. Click Next.

    4. On the Add Permissions page:

      1. Select the policy that you created in a prior step to attach it to the role.

      2. Additionally, add the following permissions:

        • AmazonRoute53ReadOnlyAccessAWSOrganizationsReadOnlyAccess: Provides read-only access to read the Route 53 data.

        • AWSOrganizationsReadOnlyAccess: Provides read-only access to the information about AWS organizations.

        • the information about AWS organizations.

        • For the synchronization of Router 53 data only:

          • AmazonRoute53ReadOnlyAccess: Provides access to read the Route 53 data.

        • For the synchronization of vDiscovery data only:

          • iam:GetUser

          • ec2:DescribeVpcs

          • ec2:DescribeSubnets

          • ec2:DescribeRouteTables

          • ec2:DescribeAddresses

          • ec2:DescribeNetworkInterfaces

          • ec2:DescribeInstances

      3. Click Next.

    5. Specify a role name for the EC2 service.

    6. (Optional) Specify a meaningful tag.

    7. Click Create Role.

  4. Attach the instance profile role created in the previous step to the EC2 instance:

    1. In the AWS Management Console home page, search for and click EC2.

    2. Select your instance.

    3. In the Actions drop-down list, select Security > Modify IAM role.

    4. In the IAM role drop-down list, select the role that you created.

    5. Click the Update IAM role button.

Setting up Member Accounts

When setting up a member account, you only have to create a role with policy created for the management account and AmazonRoute53ReadOnlyAccessadd the required permissions.

Complete the following steps for each member account:

  1. In the left navigation panel of the Identity and Access Management Dashboard, expand Access management and click Roles.

  2. Click the Create role button.

  3. On the Select trusted entity page:

    1. If using IAM credentials for authentication:

      1. Select the entity type as AWS account.

      2. Select Another AWS account and enter the account ID of the management (trusted) account.

      3. Click Next.

    2. If using an instance profile for authentication:

      1. Select the entity type as AWS service.

      2. Select EC2 for the EC2 instance to call the AWS service.

      3. Click Next.

  4. On the Add Permissions page, attach the discovery policy that has permissions required for the required permissions:

    • For the Route53 synchronization

    and

    • : AmazonRoute53ReadOnlyAccess.

    • For the vDiscovery synchronization:

      • iam:GetUser

      • ec2:DescribeVpcs

      • ec2:DescribeSubnets

      • ec2:DescribeRouteTables

      • ec2:DescribeAddresses

      • ec2:DescribeNetworkInterfaces

      • ec2:DescribeInstances

  5. On the Name, review and create page, specify the ARN specified for the management account.

  6. (Optional) Specify a meaningful tag.

  7. Click Create Role.

Verifying the Access Permissions for Running a Multi-Account Sync

To verify the access permissions for running the multi-account synchronization, complete the following steps and run the CLI commands:

  1. Set up the AWS CLI:

    1. If using IAM: Set up the CLI with the credentials of the management (or parent) account

    2. If using an instance profile: Connect to your instance EC2 using SSH.

  2. Set up the AssumeRole to the management account:
    aws sts assume-role --role-arn arn:aws:iam::<parent account ID>:role/<Role to be assumed> --rolesession-name <some name to the session>
    For example:
    aws sts assume-role --role-arn arn:aws:iam::123456789012:role/Orga-assume-role --role-sessionname Parent-Session
    Note: In case of instance profiles, this step is to ensure that the management account is in the context of the multi-account synchronization. The temporary credentials will not be used for any other activity.

  3. Export the temp credentials obtained by AssumeRole (Not required in instance profile case).
    For example:
    export AWS_ACCESS_KEY_ID="ASIAYFL6XHIKWPD7TNST"
    export AWS_SECRET_ACCESS_KEY="XpGLmCXHb3ly/t5NiXz7bAILvpsW008gRWKzDOTG"
    export
    AWS_SESSION_TOKEN="IQoJb3JpZ2luX2VjEDwaCXVzLWVhc3QtMSJGMEQCIE9X5V2wZucoX
    mNpV+838InNhQ0CxqtwHNP1jj7U6Wb/AiBCBPo21ryUbEt1JchShctyIB/lAbn8P1COuQ/gf/dog
    SqYAghlEAEaDDU2MTI5NTg2NjM4OSIMfLNKQwxTlRiADzV/KvUB7CRFn0Vy3UQDnBdYrPGt
    HHScukCN17IqbEBhsiKmxYG5Y7Uu9kxDdIG0jarLpq/e+PxigTziDXBZk9n9SOMRHiFEK28x/LQS
    VF9RS3Uy+uJa3bpY34HeF7WidoI1HCaGSaOJNVlnCQhtBwfqNnReAROlQN9j8YSY4PGy1Uic5r
    gGlny//4n95LJRYMPRzeaCCkizedMk4PDb5ub4q55LNOEjQKePFS8epsfKSgyNt9iMYpUki7qU2
    WgnhBwsY0LVWEWJibNpd6ay91voBIwRDrPc/D043/B1gKPtCT2P11SGILYEcK3e4T3CAqpEpL
    6UCRTS7lgwvvqZowY6ngF3FIzDcN30cpfRPAtJnsYO77Rh6zv+TvmSncaThclSS/POH/u14DnAzv
    tu4rfFLvUX3+toSFHdCT1M+xPDYvEhdJFvgTNEcgu3UsDog+HhvJ5DTgzwstlWYtY2rbW8kyyd3
    B4hLoh83eLwA8ym13XKsWfMdGmw0SsErhUqL037tOmEavg5XNima84Q3GddayR1u5vavDRT
    7j2wJTLUhA=="

  4. Check the organization permissions by executing organization APIs:
    aws organizations list-children --child-type <child type> --parent-id <parent id>
    For example:
    aws organizations list-children --child-type ORGANIZATIONAL_UNIT --parent-id ou-ur91-
    abcdefhi

    To retrieve the --parent-id value:

    1. Log in to the management account with organizational admin permission.

    2. Go to AWS Organizations services and click Policy Management.

    3. Look for the organizational unit of your account.

  5. To ensure that the permission required for the DNS sync synchronization of data exists on the management
    account exists, run a Route53 API.the following APIs:

    • For Route 53:
      aws route53 list-hosted-zones

    • For vDiscovery:
      aws ec2 describe-instances --region us-west-1

  6. Set up the AssumeRole for each child account.
    aws sts assume-role --role-arn arn:aws:iam::<child account ID>:role/<Role to be assumed> --rolesession-name <some name to the session>
    For example:
    aws sts assume-role --role-arn arn:aws:iam::112233445566:role/Orga-assume-role --role-sessionname Child-Session

  7. Set up the temp credentials for child accounts as done in step 3.

  8. Execute a Route53 API as done in step 5.

...

  1. .