/
Cross Account Setup for AWS Partner FTR

Cross Account Setup for AWS Partner FTR

AWS Cross-Account IAM Role Setup

This document describes Cross-Account access patterns used for sharing resources between customer and TeamForm. This may be required in scenarios like sharing file via S3 for an integration.

1. Scenario A: Partner Account Accesses the Customer Account

Overview

The partner needs to access resources in the customer’s AWS account. The customer creates an IAM role in their account, trusts your AWS account, and grants the necessary permissions.

Example IAM Role in Customer Account

a. Permissions Policy (example: Route53 access)

{ "Version": "2012-10-17", "Statement": [ { "Sid": "ResourceRecordAccess", "Effect": "Allow", "Action": [ "route53:ChangeResourceRecordSets", "route53:ListResourceRecordSets" ], "Resource": [ "arn:aws:route53:::hostedzone/Z8L2Y45GOT7LQT" ] } ] }

b. Trust Relationship

{ "Version": "2012-10-17", "Statement": [ { "Sid": "GrantAssumeRole", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<PARTNER_AWS_ACCOUNT_ID>:root" }, "Action": "sts:AssumeRole" } ] }

  • Replace <PARTNER_AWS_ACCOUNT_ID> with the partner AWS account ID.

2. Scenario B: Customer Account Accesses Partner Account

Overview

The customer needs to access resources in the partner AWS account. The partner creates an IAM role in their account, trust the customer’s AWS account, and grant the necessary permissions.

a. Permissions Policy (example: S3 access)

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::partner-bucket-name/*" ] } ] }

b. Trust Relationship

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<CUSTOMER_AWS_ACCOUNT_ID>:root" }, "Action": "sts:AssumeRole" } ] }

  • Replace <CUSTOMER_AWS_ACCOUNT_ID> with the customer’s AWS account ID.

3. Setup Instructions

A. AWS Console

  1. Go to IAM > Roles > Create Role

  2. Select "Another AWS account"

    • Enter the Account ID of the trusted account.

  3. Attach Permissions Policy

    • Use the example policies above or customize as needed.

  4. Name and Create the Role

B. CloudFormation Example

Resources: CrossAccountRole: Type: AWS::IAM::Role Properties: RoleName: CrossAccountAccessRole AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Principal: AWS: arn:aws:iam::<TRUSTED_ACCOUNT_ID>:root Action: sts:AssumeRole Policies: - PolicyName: CrossAccountPolicy PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - s3:GetObject - s3:PutObject Resource: arn:aws:s3:::partner-bucket-name/*

C. AWS CDK (TypeScript Example)

import * as iam from 'aws-cdk-lib/aws-iam'; import { Stack, StackProps } from 'aws-cdk-lib'; import { Construct } from 'constructs'; export class CrossAccountRoleStack extends Stack { constructor(scope: Construct, id: string, props?: StackProps) { super(scope, id, props); new iam.Role(this, 'CrossAccountRole', { assumedBy: new iam.AccountPrincipal('<TRUSTED_ACCOUNT_ID>'), roleName: 'CrossAccountAccessRole', inlinePolicies: { CrossAccountPolicy: new iam.PolicyDocument({ statements: [ new iam.PolicyStatement({ actions: ['s3:GetObject', 's3:PutObject'], resources: ['arn:aws:s3:::partner-bucket-name/*'], }), ], }), }, }); } }

4. Security Best Practices

  • Always follow the principle of least privilege when granting permissions[1].

  • Use external IDs for added security when third parties assume roles[2].

  • Regularly review and audit IAM roles and policies.

References