This guide will help guide you through the process of creating a Cross-Account Role on your AWS account which will give (mt) Media Temple the ability to perform a Security Audit on your account and look for potential security risks.
This role you are about to create will give (mt) Media Temple read-only access to scan for issues. It won't give us the ability to make any changes to your account, and you can revoke the privilege at any time. You must log into your AWS account with a user that has the ability to add other users in order to complete this guide.
You should have received 2 pieces of information from us that you'll need to use in this process. The names of each piece are shown below with a sample of what the data should look like:
- Account ID: (ex: 1234567876543
- External ID: (ex: CC-09388939ABC7312FE830D9310489)
If you did not yet receive these pieces of information, please stop and contact (mt) Media Temple support.
Let's get started!
Log into your AWS account, and select "IAM" from the menu of services.
Select "Policies" from the Dashboard view menu in the IAM section, then click the "Create Policy" button up top.
Select "Create Your Own Policy" from the next screen.
- Enter in MtSecurityScanPolicy for the name and an associated description, if desired. For the policy document, please click the link below to download the document.
- Click here for Policy Document.
- Open the file with a text editor (such as notepad) and copy the contents, then paste the contents into the box labeled "Policy Document."
- Save the new policy by clicking the "Create Policy" button at the bottom of the page.
You should then see a green success message on the next screen.
On to the next task! - Select "Roles" from the Dashboard view menu in the IAM section.
Click the "Create Role" button, then enter in MtSecurityScan as the Role Name on the next screen. Click "Next Step" at the bottom to continue.
Select Role type "Role For Cross-Account Access", then click the 2nd option's select button next to "Allows IAM users from a 3rd party AWS account to access this account".
- Enter in the 2 pieces of information provided to you by (mt) Media Temple into the boxes on the next screen. Click the button labeled "Next Step" at the bottom to continue.
- Account ID
- External ID
Leave "Require MFA" unchecked
Type "MtSecurityScan" into the search box and attach the policy by clicking the checkbox next to it in the filtered results. Then click the "Next Step" button to continue.
Review that everything looks correct on the next screen, and click the "Create Role" button. Please note all identifiable areas on this next image have been intentionally covered up for security!
This is the final step. Click the new policy row on the next page, this will show you the policy details. On the details page, copy the "Role ARN" and save this value. This is the value that you will need to send back to (mt) Media Temple for us to complete the scan.
- Congratulations on a job well done!