4

StackZone - Getting Started

Last Update hace 5 meses

Access Required by StackZone on AWS StackZone Feature: Create or invite AWS Account How to configure MFA for StackZone account How to allow IAM access for billing

Access Required by StackZone on AWS

AWS IAM Role required by StackZone

Fernando Honig

Last Update hace 2 años

In order to push configurations and build your StackZone in your AWS Organization, StackZone needs to create an initial AWS IAM Role. This guide describes the permissions/policies needed by the StackZoneLimitedRole and how this role is used.

Role Assumption

Who can assume this role?

  • This role can only be assumed by the StackZone Production Account using an ExternalId that belongs to you and you only as a StackZone Customer Account.
  • AWS Services like AWS CloudFormation, AWS Lambda, AWS Systems Manager and Amazon EventBridge.


Role Policies

What Policies does this role has?

We make a great effort in reducing permissions needed by StackZoneLimitedRole in each release. At this point in time these are the list of permissions required:


- autoscaling:Describe*

- aws-portal:ViewBilling

- aws-portal:ViewUsage

- cloudformation:ListStacks

- cloudformation:ListStackResources

- cloudformation:DescribeStacks

- cloudformation:DescribeStackEvents

- cloudformation:DescribeStackResources

- cloudformation:GetTemplate

- cloudfront:Get*

- cloudfront:List*

- cloudtrail:DescribeTrails

- cloudtrail:GetEventSelectors

- cloudtrail:ListTags

- cloudwatch:Describe*

- cloudwatch:Get*

- cloudwatch:List*

- config:Get*

- config:Describe*

- config:Deliver*

- config:List*

- config:Select*

- cur:Describe*

- dms:Describe*

- dms:List*

- dynamodb:DescribeTable

- dynamodb:List*

- ec2:Describe*

- ec2:GetReservedInstancesExchangeQuote

- ecs:List*

- ecs:Describe*

- elasticache:Describe*

- elasticache:ListTagsForResource

- elasticbeanstalk:Check*

- elasticbeanstalk:Describe*

- elasticbeanstalk:List*

- elasticbeanstalk:RequestEnvironmentInfo

- elasticbeanstalk:RetrieveEnvironmentInfo

- elasticfilesystem:Describe*

- elasticloadbalancing:Describe*

- elasticmapreduce:Describe*

- elasticmapreduce:List*

- es:List*

- es:Describe*

- firehose:ListDeliveryStreams

- firehose:DescribeDeliveryStream

- iam:List*

- iam:Get*

- iam:GenerateCredentialReport

- kinesis:Describe*

- kinesis:List*

- kms:DescribeKey

- kms:GetKeyRotationStatus

- kms:ListKeys

- lambda:List*

- logs:Describe*

- organizations:List*

- redshift:Describe*

- route53:Get*

- route53:List*

- rds:Describe*

- rds:ListTagsForResource

- savingsplans:DescribeSavingsPlans

- savingsplans:CreateSavingsPlan

- s3:GetAccountPublicAccessBlock

- s3:GetBucketAcl

- s3:GetBucketLocation

- s3:GetBucketLogging

- s3:GetBucketPolicy

- s3:GetBucketPolicyStatus

- s3:GetBucketTagging

- s3:GetBucketVersioning

- s3:GetBucketWebsite

- s3:GetBucketPublicAccessBlock

- s3:List*

- sagemaker:Describe*

- sagemaker:List*

- sdb:GetAttributes

- sdb:List*

- ses:Get*

- ses:List*

- sns:Get*

- sns:List*

- sqs:GetQueueAttributes

- sqs:ListQueues

- storagegateway:List*

- storagegateway:Describe*

- workspaces:Describe*

- ec2:CreateTags

- ec2:ModifyReservedInstances

- ec2:DescribeReservedInstancesOfferings

- ec2:PurchaseReservedInstancesOffering

- sts:GetFederationToken

- rds:PurchaseReservedDBInstancesOffering

- lambda:InvokeFunction

- codepipeline:Get*

- codepipeline:List*

- codepipeline:RetryStageExecution

- ec2:ModifyReservedInstances

- ec2:GetReservedInstancesExchangeQuote

- ec2:AcceptReservedInstancesExchangeQuote

- s3:Get*  (On limited resources)

- s3:List*   (On limited resources)

- s3:Put*   (On limited resources)

- ce:Get*

- ce:Describe*

- ce:List*

- servicecatalog:ProvisionProduct

- servicecatalog:DescribeProduct

- servicecatalog:SearchProducts

- ssm:PutParameter   (On limited resources)

- ssm:GetParameter*   (On limited resources)

- ssm:DeleteParameter   (On limited resources)

- ssm:UpdateServiceSetting   (On limited resources)

- organizations:ListAccountsForParent

- organizations:ListOrganizationalUnitsForParent

- resource-groups:*

- tag:TagResources

- ssm:GetServiceSetting

How do you protect your StackZone Production Account?

  • We eat our own dog food. Which means, we are protected by more than 100+ Config Rules and GuardRails, in short, we have StackZone enabled in our own cloud accounts.
  • Our team requires MFA to login to our production accounts.


If you have any question or concern regarding this, please feel free to contact us via our Live Chat Support or by email via [email protected]

Was this article helpful?

0 out of 0 liked this article

Still need help? Message Us