klang/readme.md

## readme.md

      
    Raw
  

              readme.md
            
          
    The AWS E-learning course "Creating an IAM Role for AWS Partner-Led Support"
describes how to make a specific support role, but doesn't provide the actual template.
This is an advanced way to roll out the role needed, in a multi account structure. If the Partner-Led customer is using AWS ControlTower
or AWS LandingZone or some other home baked control mechanism under AWS Organizations, a StackSet is probably the way to go.

  
## stackset-for-PartnerRoleForReadOnlyAndSupport.yaml
---
AWSTemplateFormatVersion: '2010-09-09'
Description: Cross account ReadOnly and Support access for Partner-Led Support

Parameters:
  PartnerAccount:
    Type: String
    Description: AccountsIDs that need access to this role.
  PartnerRoleName:
    Type: String
    Default: PartnerRoleForReadOnlyAndSupport
    AllowedValues:
      - PartnerRoleForReadOnlyAndSupport
      - partner-support
    Description: 'name of the role to use for opening support cases'

Resources:
  CrossAccountAccessStackSet:
    Type: AWS::CloudFormation::StackSet
    Properties:
      AutoDeployment:
        Enabled: true
        RetainStacksOnAccountRemoval: false
      Capabilities:
        - CAPABILITY_NAMED_IAM
      OperationPreferences:
        FailureToleranceCount: 5
        FailureTolerancePercentage: 5
        MaxConcurrentCount: 5
        MaxConcurrentPercentage: 5
        RegionOrder:
          - eu-west-1
      PermissionModel: SERVICE_MANAGED
      StackSetName: PartnerRoleForReadOnlyAndSupport
      Parameters:
        - ParameterKey: AccountID
          ParameterValue: !Ref PartnerAccount
        - ParameterKey: RoleName
          ParameterValue: !Ref PartnerRoleName
      TemplateBody: |
        Parameters:
          AccountID:
            Type: String
          RoleName:
            Type: String
        Resources:
          CrossAccountAccess:
            Type: AWS::IAM::Role
            Properties:
              RoleName: !Ref RoleName
              AssumeRolePolicyDocument:
                Statement:
                  - Action: sts:AssumeRole
                    Effect: Allow
                    Principal:
                      AWS: !Sub 'arn:aws:iam::${AccountID}:root'
                    Condition:
                      Bool:
                        aws:MultiFactorAuthPresent: true
                    Sid: ''
                Version: '2012-10-17'
              Path: "/"
              ManagedPolicyArns:
                - arn:aws:iam::aws:policy/ReadOnlyAccess
                - arn:aws:iam::aws:policy/AWSSupportAccess
	---
	AWSTemplateFormatVersion: '2010-09-09'
	Description: Cross account ReadOnly and Support access for Partner-Led Support

	Parameters:
	PartnerAccount:
	Type: String
	Description: AccountsIDs that need access to this role.
	PartnerRoleName:
	Type: String
	Default: PartnerRoleForReadOnlyAndSupport
	AllowedValues:
	- PartnerRoleForReadOnlyAndSupport
	- partner-support
	Description: 'name of the role to use for opening support cases'

	Resources:
	CrossAccountAccessStackSet:
	Type: AWS::CloudFormation::StackSet
	Properties:
	AutoDeployment:
	Enabled: true
	RetainStacksOnAccountRemoval: false
	Capabilities:
	- CAPABILITY_NAMED_IAM
	OperationPreferences:
	FailureToleranceCount: 5
	FailureTolerancePercentage: 5
	MaxConcurrentCount: 5
	MaxConcurrentPercentage: 5
	RegionOrder:
	- eu-west-1
	PermissionModel: SERVICE_MANAGED
	StackSetName: PartnerRoleForReadOnlyAndSupport
	Parameters:
	- ParameterKey: AccountID
	ParameterValue: !Ref PartnerAccount
	- ParameterKey: RoleName
	ParameterValue: !Ref PartnerRoleName
	TemplateBody: \|
	Parameters:
	AccountID:
	Type: String
	RoleName:
	Type: String
	Resources:
	CrossAccountAccess:
	Type: AWS::IAM::Role
	Properties:
	RoleName: !Ref RoleName
	AssumeRolePolicyDocument:
	Statement:
	- Action: sts:AssumeRole
	Effect: Allow
	Principal:
	AWS: !Sub 'arn:aws:iam::${AccountID}:root'
	Condition:
	Bool:
	aws:MultiFactorAuthPresent: true
	Sid: ''
	Version: '2012-10-17'
	Path: "/"
	ManagedPolicyArns:
	- arn:aws:iam::aws:policy/ReadOnlyAccess
	- arn:aws:iam::aws:policy/AWSSupportAccess