How to Create a Custom Cross Account Role

Follow these steps to create an AWS cross account role with custom policy that will allow Hava just enough access to draw diagrams of your infrastructure.

  1. Once in the AWS Console, from the link provided to Create role, verify the following information: 
    • Role Type Another AWS account is selected
    • The Account ID in Hava is the same in AWS Console
    • The External ID in Hava is the same in AWS Console
    • Require MFA is NOT checked
  2. Create your custom policy
    • From permissions policies click Create policy

      Screen Shot 2019-03-20 at 12.40.04 pm

    • In Create Policy, copy the policy details below in the JSON tab. 
      {
      "Version": "2012-10-17",
      "Statement": [
      {
      "Action": [
      "acm:DescribeCertificate",
      "acm:GetCertificate",
      "acm:ListCertificates",
      "apigateway:GET",
      "apigateway:HEAD",
      "apigateway:OPTIONS",
      "appstream:Get*",
      "autoscaling:Describe*",
      "cloudformation:DescribeStackEvents",
      "cloudformation:DescribeStackResource",
      "cloudformation:DescribeStackResources",
      "cloudformation:DescribeStacks",
      "cloudformation:GetTemplate",
      "cloudformation:List*",
      "cloudfront:Get*",
      "cloudfront:List*",
      "cloudsearch:Describe*",
      "cloudsearch:List*",
      "cloudtrail:DescribeTrails",
      "cloudtrail:GetTrailStatus",
      "cloudwatch:Describe*",
      "cloudwatch:Get*",
      "cloudwatch:List*",
      "codecommit:BatchGetRepositories",
      "codecommit:Get*",
      "codecommit:GitPull",
      "codecommit:List*",
      "codedeploy:Batch*",
      "codedeploy:Get*",
      "codedeploy:List*",
      "config:Deliver*",
      "config:Describe*",
      "config:Get*",
      "datapipeline:DescribeObjects",
      "datapipeline:DescribePipelines",
      "datapipeline:EvaluateExpression",
      "datapipeline:GetPipelineDefinition",
      "datapipeline:ListPipelines",
      "datapipeline:QueryObjects",
      "datapipeline:ValidatePipelineDefinition",
      "directconnect:Describe*",
      "ds:Check*",
      "ds:Describe*",
      "ds:Get*",
      "ds:List*",
      "ds:Verify*",
      "dynamodb:DescribeTable",
      "dynamodb:ListTables",
      "ec2:Describe*",
      "ec2:GetConsoleOutput",
      "ecr:GetAuthorizationToken",
      "ecr:BatchCheckLayerAvailability",
      "ecr:GetDownloadUrlForLayer",
      "ecr:GetManifest",
      "ecr:DescribeRepositories",
      "ecr:ListImages",
      "ecr:BatchGetImage",
      "ecs:Describe*",
      "ecs:List*",
      "elasticache:Describe*",
      "elasticache:List*",
      "elasticbeanstalk:Check*",
      "elasticbeanstalk:Describe*",
      "elasticbeanstalk:List*",
      "elasticbeanstalk:RequestEnvironmentInfo",
      "elasticbeanstalk:RetrieveEnvironmentInfo",
      "elasticfilesystem:DescribeMountTargets",
      "elasticfilesystem:DescribeTags",
      "elasticfilesystem:DescribeFileSystems",
      "elasticfilesystem:DescribeMountTargetSecurityGroups",
      "elasticloadbalancing:Describe*",
      "elasticmapreduce:Describe*",
      "elasticmapreduce:List*",
      "elastictranscoder:List*",
      "elastictranscoder:Read*",
      "es:DescribeElasticsearchDomain",
      "es:DescribeElasticsearchDomains",
      "es:DescribeElasticsearchDomainConfig",
      "es:ListDomainNames",
      "es:ListTags",
      "es:ESHttpGet",
      "es:ESHttpHead",
      "events:DescribeRule",
      "events:ListRuleNamesByTarget",
      "events:ListRules",
      "events:ListTargetsByRule",
      "events:TestEventPattern",
      "firehose:Describe*",
      "firehose:List*",
      "glacier:ListVaults",
      "glacier:DescribeVault",
      "glacier:GetDataRetrievalPolicy",
      "glacier:GetVaultAccessPolicy",
      "glacier:GetVaultLock",
      "glacier:GetVaultNotifications",
      "glacier:ListJobs",
      "glacier:ListMultipartUploads",
      "glacier:ListParts",
      "glacier:ListTagsForVault",
      "glacier:DescribeJob",
      "glacier:GetJobOutput",
      "iam:GenerateCredentialReport",
      "iam:Get*",
      "iam:List*",
      "inspector:Describe*",
      "inspector:Get*",
      "inspector:List*",
      "inspector:LocalizeText",
      "inspector:PreviewAgentsForResourceGroup",
      "iot:Describe*",
      "iot:Get*",
      "iot:List*",
      "kinesis:Describe*",
      "kinesis:Get*",
      "kinesis:List*",
      "kms:Describe*",
      "kms:Get*",
      "kms:List*",
      "lambda:List*",
      "lambda:Get*",
      "logs:Describe*",
      "logs:Get*",
      "logs:TestMetricFilter",
      "machinelearning:Describe*",
      "machinelearning:Get*",
      "mobilehub:GetProject",
      "mobilehub:ListAvailableFeatures",
      "mobilehub:ListAvailableRegions",
      "mobilehub:ListProjects",
      "mobilehub:ValidateProject",
      "mobilehub:VerifyServiceRole",
      "opsworks:Describe*",
      "opsworks:Get*",
      "rds:Describe*",
      "rds:ListTagsForResource",
      "redshift:Describe*",
      "redshift:ViewQueriesInConsole",
      "route53:Get*",
      "route53:List*",
      "route53domains:CheckDomainAvailability",
      "route53domains:GetDomainDetail",
      "route53domains:GetOperationDetail",
      "route53domains:ListDomains",
      "route53domains:ListOperations",
      "route53domains:ListTagsForDomain",
      "s3:GetAccelerateConfiguration",
      "s3:GetAnalyticsConfiguration",
      "s3:GetBucket*",
      "s3:GetInventoryConfiguration",
      "s3:GetIpConfiguration",
      "s3:GetLifecycleConfiguration",
      "s3:GetMetricsConfiguration",
      "s3:GetReplicationConfiguration",
      "s3:List*",
      "sdb:GetAttributes",
      "sdb:List*",
      "sdb:Select*",
      "ses:Get*",
      "ses:List*",
      "sns:Get*",
      "sns:List*",
      "sqs:GetQueueAttributes",
      "sqs:ListQueues",
      "sqs:ReceiveMessage",
      "storagegateway:Describe*",
      "storagegateway:List*",
      "swf:Count*",
      "swf:Describe*",
      "swf:Get*",
      "swf:List*",
      "tag:Get*",
      "trustedadvisor:Describe*",
      "waf:Get*",
      "waf:List*",
      "waf-regional:Get*",
      "waf-regional:List*",
      "workspaces:Describe*"
      ],
      "Effect": "Allow",
      "Resource": "*"
      }
      ]
      }
    • If there are certain permissions you don't want Hava to have then feel free to remove them - Hava will only import and display resources it has permission for. Once you're happy with the details click Review Policy. 
    • Give your policy a name such as HavaPolicy and a description. 
      Screen Shot 2019-03-20 at 3.51.55 pm
  3. Go back to Create Role, refresh the policies list and search for the policy you just created.Screen Shot 2019-03-20 at 4.07.41 pm
  4. Review and create your role. Bang!
  5. In the list of Roles, select the role created and copy the Role ARN value. 
  6. Jump back to your Hava account and enter this into the Role ARN field, then click Import to get started!

    Screen Shot 2019-03-20 at 4.29.33 pm