sample policies for aws multi-acount-with-assume-roles

sample-aws-multi-account-policies.md

This gist contains sample policy I used in my article at https://ismailyenigul.medium.com/how-to-setup-multi-aws-accounts-assume-role-with-aws-cli-45ae869661ed For admin access from security to other accounts. save as admin-external-accounts.json

{
        "Version": "2012-10-17",
        "Statement": [
          {
            "Sid": "",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": [
              "arn:aws:iam::725335846599:role/allow-admin-from-security-account",
              "arn:aws:iam::989175535319:role/allow-admin-from-security-account",
              "arn:aws:iam::211047650761:role/allow-admin-from-security-account",
              "arn:aws:iam::320385056066:role/allow-admin-from-security-account"
            ]
          }
        ]
 }

Read only user assume policy in security account. save as ro-external-accounts.json

{
        "Version": "2012-10-17",
        "Statement": [
          {
            "Sid": "",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": [
              "arn:aws:iam::725335846599:role/allow-read-only-from-security-account",
              "arn:aws:iam::989175535319:role/allow-read-only-from-security-account",
              "arn:aws:iam::211047650761:role/allow-read-only-from-security-account",
              "arn:aws:iam::320385056066:role/allow-read-only-from-security-account"
            ]
          }
        ]
 }

Trust policy from security account(026445672617) to dev/stage/prod/mgmt account for allow-admin-from-security-account or allow-read-only-from-security-account roles on dev/stage/prod/mgmt accounts Copy this as trust-policy-from-security-account.json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::026445672617:root"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}