Versions Compared

Old Version 2

changes.mady.by.user Sri Raghu

Saved on

compared with

New Version Current

changes.mady.by.user Sri Raghu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

To create a delegation policy in the management account, complete do the following steps:

  1. Log in to the AWS Management Console.
    You must be logged in as an IAM user, assume an IAM role, or logged in as the root user in the organization’s management account with appropriate permissions that are stated above. For more information, see Safeguard your root user credentials.

  2. Go to the  AWS Organizations Service Console.

  3. Go to Settings.

  4. In the Delegated Administrator for AWS Organizations section, do one of the following:

    • To create the organization's delegation policy, choose Delegate.

    • To update an existing delegation policy, choose Edit.

  5. Type a JSON policy in the JSON editor or copy the below example policy and customize it for your account. Following is an example of a Delegated administrator for AWS Organizations policy:
    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Sid": "DelegatingNecessaryListActionsMultiAcc",
    "Effect": "Allow",
    "Principal": {
    "AWS": [
    "arn:aws:iam::<Parent_account_ID>:root",
    "arn:aws:iam::<Parent_account_ID>::root"
    ]
    },
    "Action": [
    "organizations:ListParents",
    "organizations:DescribeOrganizationalUnit",
    "organizations:DescribeAccount",
    "organizations:ListChildren"
    "organizations:ListAccountsForParent",
     "organizations:ListOrganizationalUnitsForParent"
    ],
    "Resource": "*"
    }
    ]
    }

  6. Resolve any security warnings, errors, or general warnings generated during policy validation.

  7. Choose Create policy to save your work.
    This provides the delegated administrator access to the management account.

Configuring Role in AWS

Complete the following steps to configure a role in AWS:

  1. Complete the following steps to create an IAM case:

    1. Create a policy with the following settings: 

      1. Choose service: Choose STS.

      2. Actions: Choose AssumeRole (Write Access).

      3. Resources: Configure the following: 

        1. Add ARN:

          1. Choose any account.

          2. Specify the Role Name. 

      4. Add and Review Policy. 

      5. Specify a Name. 

      6. Create Policy

{

    "Version": "2012-10-17",

    "Statement": [

        {

            "Sid": "VisualEditor0",

            "Effect": "Allow",

            "Action": [

                "sts:AssumeRole"

            ],

            "Resource": [

                "arn:aws:iam::*:role/demorole"

            ]

        }

    ]

}

  1. Create a user and attach the policy to the user. 

  2. Create a Role (AssumeRole).

    1. Select AWS Account: This account

    2. Permissions

      1. Attach the policy as specified in the section Permissions required in AWS R53.

      2. Attach AWSOrganizationsReadOnlyAccess to discover accounts.

      3. Attach policy created in the following section.

    3. Tags: This is optional. Provide some meaningful tags.

    4. Provide the Role Name.

    5. Create Role.

In Trusting/Child account.

IAM Create Role  (AssumeRole)

In Select type of trusted entity, configure the following:

...

Provide the Account ID of the Trusted/Management account.

...

Permissions: Configure the following permissions:

  1. Attach Policy: Attach the policy that has permissions required for R53 sync (R53ReadWrite access).

...

Tags (Optional, provide some meaningful tag).

...

Provide Role Name: Specify the same name as provided in step 3.d.

...

The following configuration options are available:

Child pages (Children Display)