This section explains the policy configuration for an AWS account which is not an AWS management account.
If you are configuring a third party DNS provider from an AWS account which is not an AWS management account, a specific policy needs to be configured. To create or update the resource-based delegation policies, you need permissions to run the following actions:
organizations:PutResourcePolicy
organizations:DescribeResourcePolicy
Additionally, you must grant roles and users in the delegated administrator account with the corresponding IAM permissions for the required actions.
To create a delegation policy in the management account, complete the following steps:
Log in to the AWS Management Console.
You must be logged in as an IAM user, assume an IAM role, or logged in as the root user in the organization’s management account with appropriate permissions that are stated above. For more information, see Safeguard your root user credentials.Go to the AWS Organizations Service Console.
Go to Settings.
In the Delegated Administrator for AWS Organizations section, do one of the following:
To create the organization's delegation policy, choose Delegate.
To update an existing delegation policy, choose Edit.
Type a JSON policy in the JSON editor or copy the below example policy and customize it for your account. Following is an example of a Delegated administrator for AWS Organizations policy:
{"Version": "2012-10-17","Statement": [{"Sid": "DelegatingNecessaryListActionsMultiAcc","Effect": "Allow","Principal": {"AWS": ["arn:aws:iam::<Parent_account_ID>:root","arn:aws:iam::<Parent_account_ID>::root"]},"Action": ["organizations:ListParents","organizations:DescribeOrganizationalUnit","organizations:DescribeAccount","organizations:ListChildren"],"Resource": "*"}]}Resolve any security warnings, errors, or general warnings generated during policy validation.
Choose Create policy to save your work.
This provides the delegated administrator access to the management account.
Configuring Role in AWS
To include AWS sub-account in the Route53 sync, AWS Role ARN is a mandatory parameter. The credentials and the role ARN requires AssumeRole permissions.
Complete the following steps to configure a role in AWS:
Complete the following steps to create an IAM case:
Create a policy with the following settings:
Choose service: Choose STS.
Actions: Choose AssumeRole (Write Access).
Resources: Configure the following:
Add ARN:
Choose any account.
Specify the Role Name.
Add and Review Policy.
Specify a Name.
Create Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": [
"arn:aws:iam::*:role/demorole"
]
}
]
}
Create a user and attach the policy to the user.
Create a Role (AssumeRole).
Select AWS Account: This account
Permissions
Attach the policy as specified in the section Permissions required in AWS R53.
Attach AWSOrganizationsReadOnlyAccess to discover accounts.
Attach policy created in the following section.
Tags: This is optional. Provide some meaningful tags.
Role Name: Specify a name for the role.
Click Create Role.
The following steps are required for creating a role with the proper permissions. Complete the followin steps for the Trusting/Child account:
IAM Create Role (AssumeRole)
In Select type of trusted entity, configure the following:
Select AWS Account: Select Another AWS account.
Provide the Account ID of the Trusted/Management account.
Permissions: Configure the following permissions:
Attach Policy: Attach the policy that has permissions required for R53 sync (R53ReadWrite access).
Tags: This is optional. Provide some meaningful tags.
Role Name: Specify the same name as provided in step 3.d.
Click Create Role.