GigaVUE-FM Instance Multi Account Support Using Amazon STS

This section provides instructions on how to set up your GigaVUE-FM instance to work with multiple accounts using Amazon Security Token Service (STS).

Prerequisites

You must complete the following prerequisites before configuring GigaVUE-FM for Amazon STS support.

• A policy must be included in other accounts as well.
  • These policies must allow GigaVUE-FM to assume the role in that account.

Procedure

For the purposes of these instructions, the AWS account that runs the GigaVUE-FM instance is called the source account, and any other AWS account that runs monitored instances is called a target account.

To configure GigaVUE-FM for Amazon STS support:

1. In each target account, create an IAM role with the source account number as a trusted entity and attach policies with permissions allowing GigaVUE-FM to perform its functions. Record the ARN of each role created.

   Note:  This role must exist in all accounts to support the ability to create a single Monitoring Domain in GigaVUE-FM that includes multiple accounts.

2. In the source account, create a new IAM policy that allows GigaVUE-FM to retrieve IAM policies.

   IMPORTANT: The following example is provided as an example.

   1. Use the following permissions if you are using IAM instance role for authentication:

      "iam:ListAttachedRolePolicies",

      "iam:GetPolicy",

      "iam:GetPolicyVersion",

      "iam:ListRolePolicies",

      If there are inline policies linked to the role, then you must include the following permission:

      "iam:GetRolePolicy"

   2. Use the following permissions for basic authentication:

   "iam:ListGroupsForUser"

   "iam:ListAttachedUserPolicies"

   "iam:ListAttachedGroupPolicies"

   "iam:GetPolicy",

   "iam:GetPolicyVersion",

   "iam:ListUserPolicies"

   "iam:ListGroupPolicies"

   If there are inline policies attached to the user, then include the following permission:

   "iam:GetUserPolicy"

   If there are inline policies attached to the user group, then include the following permission:

   "iam:GetGroupPolicy"

3. In the source account, create a new IAM policy that allows the "sts:AssumeRole" action on all role ARNs created in Step 1.
   
   IMPORTANT: The following example is provided as an example.

   {
      "Version": "2012-10-17",
      "Statement": {  
        "Effect": "Allow",
        "Action": "sts:AssumeRole",
        "Resource": [  
   	"arn:aws:iam::123456789012:role/FM-Role-target-account"  
   	]  
        }  
   }

   Note:  In this example, 123456789012 is a target account and FM-Role-target-account is the role in the target account configured in step 1 with permissions required for GigaVUE-FM.

4. In the source account, attach the policies created in steps 2 and 3 to the IAM role that is attached to the GigaVUE-FM instance.