Skip to content

Latest commit

 

History

History
99 lines (68 loc) · 4.18 KB

README.md

File metadata and controls

99 lines (68 loc) · 4.18 KB

cloudquery logo

CloudQuery IAM Permissions

Overview:

This solution is designed to help users setup the appropriate AWS IAM roles and permissions in order to use CloudQuery to fetch all supported resources in their accounts within an AWS Organization. This solution will deploy a child role into each member account and a role in the administrator account for CloudQuery to use.

This solution leverages CloudFormation StackSets and service-managed permissions in order to automatically deploy IAM roles into each account in the specified Account List or Organization Unit without additional deployment IAM roles.

Organization Management Account or Delegated Administrator Account

For deployment purposes, the template may change depending on where the StackSet is deployed from. For AWS Organizations, Stacksets can be managed from either the Organization Management (Admin) Account or a Delegated Administrator Account. A delegated administrator account is a member account that can create and manage stacksets with service-managed permissions for the organization.

If using a delegated administrator account, delegated administration must be set up for CloudFormation StackSets. Follow AWS's guide here. For deploying from a delegated administrator account, DELEGATED_ADMIN must be specified in the CallAs property in the CloudFormation StackSet.

CloudQueryMemberRoles:
    Type: 'AWS::CloudFormation::StackSet'
    Properties:
      StackSetName: CloudQueryOrgRoles
      CallAs: DELEGATED_ADMIN
      Description: cloudquery org setup
      Capabilities:
        - CAPABILITY_NAMED_IAM

The current template.yml is meant for usage from the organization management account and the CallAs line will need to be added to the template for usage from a Delegated Administrator account.

Usage

Deploying this solution:

  1. Clone this repo
  2. Run the following command but make sure to replace <ROOT_ORG_ID> with your OU of the root (if you want to deploy to your entire organization). Or a comma separated list of OUs:
aws cloudformation create-stack --stack-name CloudQueryOrg-Deploy --template-body file://./template.yml  --capabilities CAPABILITY_NAMED_IAM --parameters ParameterKey=OrganizationUnitList,ParameterValue=<ROOT_ORG_ID>
  1. To get the ARN of role in the Admin and the role deployed in each member account:
aws cloudformation describe-stacks --stack-name CloudQueryOrg-Deploy --query "Stacks[].Outputs"
  1. Using the output you got in step (3) update the following values in your cloudquery.yml configuration file:
kind: source
spec:
  name: aws
  path: cloudquery/aws
  registry: cloudquery
  version: "v26.6.0" # find latest version here: https://hub.cloudquery.io/plugins/source/cloudquery/aws/latest
  tables: ['aws_s3_buckets']
  destinations: ["postgresql"]
  spec:
    aws_debug: false
    org:
      admin_account:
        role_arn: <AdminRoleArn>
      member_role_name: <MemberRoleName>
    regions: 
      - "*"

Cleaning up:

Run this to delete all resources that were created:

aws cloudformation delete-stack --stack-name CloudQueryOrg-Deploy

Links

Contribution

Feel free to open Pull-Request for improvements, changes and bug fixes.