CloudFix cannot Create IAM Users and Groups

Overview

IAM Users and groups on the resource account cannot be created by CloudFix and thus, CloudFix cannot be installed correctly in your environment.

Solution

This occurs when you have one AWS account with all the resources and another AWS account where one can provision users, roles, etc.
The steps that should be followed to fix this, require setting up an IAM role that will be assumed by a trusted entity(e.g. Federated user) to approve Change Templates for CloudFix fixers.

  1. Create the Approver Policy - Create an IAM policy with the permissions required for template approval. Below is the policy. Note that this only gives the minimum required permissions for template approval.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ssm:SendAutomationSignal",
"sns:Unsubscribe",
"sns:Subscribe",
"sns:ConfirmSubscription",
"ssm:GetOpsItem",
"ssm:GetDocument",
"ssm:ListDocuments"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
  1. Create the IAM role
    • Select the type of trusted entity for the role. E.g. SAML or Web federation and enter details specific to the one you’ve selected.
      CF_Step2.png
      1. Select Allow programmatic and AWS Management Console access since Template approvals will be performed through the Console.
      2. The federated user who will approve the template needs to obtain permissions to assume this role.
    • Select the policy created in the previous step to add permissions to the role.
    • Provide a role name and complete role creation.
  2. Use an existing IAM role for approval (skip if you have created a new role) - If you want to use an existing role that you assume(e.g. Using Federated identity) to approve change templates, attach the Approver policy created earlier to the existing role and proceed to the next step.
  3. Add the IAM Role as the template approver
      • On AWS Console, navigate to Systems Manager > Change Manager > Settings.
      • Click Edit on the top right
        CF_Step4-1.png
      • Click Add under the Template reviewers heading.CF_Step4-2.png
      • Under the Roles tab, select the Role that we want to use. Click Add approvers.CF_Step4-3.png
      • The selected role will be added to the list of Template reviewers.CF_Step4-4.png

Comments

0 comments

Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request