Skip to end of metadata
Go to start of metadata

Overview

The Men & Mice Suite can be connected to multiple AWS accounts using single credentials. This is done by configuring a cloud account to be able to assume roles on other accounts. The credentials added to the Men & Mice Suite when adding multiple AWS cloud accounts, should belong to a user that is a member of a group. The group should be configured to allow members to assume AWS roles on other accounts with access to cloud networks(via EC2) or DNS Services(via Route53). Step-by-step instructions on how to configure this setup can be found below.

Set up and configuration

The following steps should be taken when configuring an AWS account to assume roles on other accounts for the Men & Mice Suite.

 

Step 1. - Creating a group containing the user that should have access to the roles on the other accounts

Step 1.a

Find a pre-existing user that you want to use, or create a new user.

This can be done through the AWS Management Console or using the AWS CLI command [iam|create-user]

 

Open the IAM service in the management console.


  

 











 

Select "Users" from the left-hand menu or under IAM resources.

 

Either select an existing user to use, or create a new user by clicking "Add user" and following the steps described in the wizard. If a new user is created, make sure to allow programmatic access so that an access key ID and secret access key pair can be used to add the account to the Men & Mice Suite. The user must also have the IAMReadOnlyAccess policy attached. If you want to manage Route53 and VPCs on the account where the user is located, the AmazonRoute53FullAccess and AmazonEC2Full access policies should also be attached.

 

Step 1.b

Create a group

This can be done through the AWS Management Console or by using the AWS CLI command [iam|create-group]

Make sure this is done under the account where the user is located.


Under the IAM service, select "Groups".


Select the "Create New Group" button.



Select a name for your group and click "Next Step".

 

You will be offered policies to attach to your group. Just press "Next Step".

 

A review window will be displayed. Press "Create Group" to finish creating the group.

 

Step 1.c

Add the user to the group created in the previous step

This can be done through the AWS Management Console or by using the AWS CLI command [iam|add-user-to-group]

 

From the "Groups "menu under the IAM service, click on the newly created group.

 

Under the users tab, click "Add Users to Group".

 

 

Select the checkbox next to the user that should be added to the group. This should either be the user created earlier, or a pre-existing user you've decided to use. Then click on the "Add Users" button.

 

 

Step 2. - For each account that the user should have access to, create and configure a role on the account

The following steps should be performed for each account that the user should have access to.

Now a role has to be created on the accounts that the user should have access to, the role has to be assumable by the user.

This can be done through the AWS Management Console or by using the AWS CLI command [iam|create-role]

 

Log in to the account that the user should have access to using the AWS Management Console.

 

 

Open the IAM service in the management console.

 

 

Select "Roles" from the menu on the left or under the IAM resource.

 

 

Press the "Create role" button. 

 

 

Select "Another AWS account" as the type of trusted entity. In the Account ID window, put the account ID of the account that contains the user that should be able to access this account. Then click "Next: Permissions".

 

 

 Now attach necessary policies for the Men & Mice Suite to the role. You can attach the policies by searching for them by name in the search window and then checking the checkbox next to their name. After all necessary policies have been attached, click on the "Next: Tags" button. The Men & Mice Suite needs the following AWS policies to be attached.

    • AmazonRoute53FullAccess to manage hosted DNS zones.
    • AmazonEC2FullAccess to manage Cloud Networks and ranges.
    • IAMReadOnlyAccess so that the Suite can access the account alias. This does not need to be attached if you do not want AWS account aliases to be displayed in the Men & Mice Suite.

      This can also be done using the AWS CLI command [iam|attach-role-policy]

 

Now you can add tags to the role. The Men & Mice Suite does not require any tags but they can be added optionally to help organize your account. After you finish adding tags, click on the "Next: Review" button.

 

 

Now select a name for the role that is being created and review the role before confirming the creation. After naming the role and ideally writing a short description, press the "Create role" button.

 

 

 

Step 3. - Add group policies to the group that contains the user for each of the roles created

The following steps should be performed for each account that the user should have access to.

On the account where the user that should have access to the roles is located, locate the group created in the first step of this tutorial. The group should contain the user that should have access to the roles. For each account that the user should have access to, create a group policy in the group allowing him to assume the role that was created on the account. 

This can be done through the AWS Management Console or by using the AWS CLI command [iam|put-group policy]

 

Log in to the account where the group is located using the AWS Management Console.

Open the IAM service in the management console.

 

 

Under the IAM service, select "Groups".



Locate the group that was previously created and click on it to open up further options for the group.

 

Under the permissions tab, locate inline policies and create a new one.

 

 

Check the Custom Policy option and click on the "Select" button.

 

 

Type a name for your policy into the  Policy Name field. Paste the following policy into the Policy Document field. Replace "123456789012" with the ID of the account where the role is located and replace "RoleName" with the name of the role that should be assumed on the account.  Then click on the "Apply Policy" button.

 

Policy Document

 

 

After Configuring the accounts

After adding the policies to the group for all of the roles, the accounts can be added to the Men & Mice Suite using the API credentials of the user that is in the group. Further information on how to add AWS accounts to the Suite can be found here. You might need to wait a couple of minutes for the AWS backend to propagate the changes everywhere.