Overview
IAM Users and groups on the resource account cannot be created by CloudFix and thus, CloudFix cannot be installed correctly in your environment.
Solution
This occurs when you have one AWS account with all the resources and another AWS account where one can provision users, roles, etc.
The steps that should be followed to fix this, require setting up an IAM role that will be assumed by a trusted entity(e.g. Federated user) to approve Change Templates for CloudFix fixers.
- Create the Approver Policy - Create an IAM policy with the permissions required for template approval. Below is the policy. Note that this only gives the minimum required permissions for template approval.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ssm:SendAutomationSignal",
"sns:Unsubscribe",
"sns:Subscribe",
"sns:ConfirmSubscription",
"ssm:GetOpsItem",
"ssm:GetDocument",
"ssm:ListDocuments"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
- Create the IAM role
- Select the type of trusted entity for the role. E.g. SAML or Web federation and enter details specific to the one you’ve selected.
- Select
Allow programmatic and AWS Management Console access
since Template approvals will be performed through the Console. - The federated user who will approve the template needs to obtain permissions to assume this role.
- Select
- Select the policy created in the previous step to add permissions to the role.
- Provide a role name and complete role creation.
- Select the type of trusted entity for the role. E.g. SAML or Web federation and enter details specific to the one you’ve selected.
- Use an existing IAM role for approval (skip if you have created a new role) - If you want to use an existing role that you assume(e.g. Using Federated identity) to approve change templates, attach the Approver policy created earlier to the existing role and proceed to the next step.
- Add the IAM Role as the template approver
- On AWS Console, navigate to
Systems Manager > Change Manager > Settings
. - Click
Edit
on the top right - Click
Add
under the Template reviewers heading. - Under the
Roles
tab, select the Role that we want to use. ClickAdd approvers
. - The selected role will be added to the list of Template reviewers.
- On AWS Console, navigate to
Comments
0 comments
Please sign in to leave a comment.