-
Notifications
You must be signed in to change notification settings - Fork 13
/
cross-account-admin-users.template
44 lines (44 loc) · 1.18 KB
/
cross-account-admin-users.template
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
AWSTemplateFormatVersion: '2010-09-09'
Description: 'Create a role that authorizes access to admin users in another account'
Metadata:
Version: 0.7
Parameters:
RoleName:
Type: String
SourceAccountId:
Type: String
MaxLength: 12
MinLength: 12
Description: 12 digit id of the account containing the users to which you're granting access
MultiFactorAuthRequired:
Default: "False"
Type: String
AllowedValues:
- "True"
- "False"
Resources:
AssumeRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Ref RoleName
Policies:
-
PolicyName: "AdminUser"
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Action: "*"
Resource: "*"
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
"AWS": !Join [ "", [ "arn:aws:iam::", !Ref SourceAccountId, ":root" ] ]
Action:
- sts:AssumeRole
Condition:
Bool:
"aws:MultiFactorAuthPresent": !Ref MultiFactorAuthRequired