GigaVUE-FM Instance Multi Account Support Using Amazon STS

This section provides instructions on how to set up your GigaVUE-FM instance to work with multiple accounts using Amazon Security Token Service (STS).

Prerequisites

You must complete the following prerequisites before configuring GigaVUE-FM for Amazon STS support.

  • A policy must be included in other accounts as well.
    • These policies must allow GigaVUE-FM to assume the role in that account.

Procedure

For the purposes of these instructions, the AWS account that runs the GigaVUE-FM instance is called the source account, and any other AWS account that runs monitored instances is called a target account.

To configure GigaVUE-FM for Amazon STS support:

  1. In each target account, create an IAM role with the source account number as a trusted entity and attach policies with permissions allowing GigaVUE-FM to perform its functions. Record the ARN of each role created.

    Note:  This role must exist in all accounts to support the ability to create a single Monitoring Domain in GigaVUE-FM that includes multiple accounts.

  2. In the source account, create a new IAM policy that allows GigaVUE-FM to retrieve IAM policies.

    IMPORTANT: The following example is provided as an example.

    1. Use the following permissions if you are using IAM instance role for authentication:

      "iam:ListAttachedRolePolicies",
      "iam:GetPolicy",
      "iam:GetPolicyVersion",
      "iam:ListRolePolicies", 
      "iam:ListAccountAliases",

      If there are inline policies linked to the role, then you must include the following permission:

      "iam:GetRolePolicy"
    2. Use the following permissions for basic authentication:

    "iam:ListGroupsForUser"
    "iam:ListAttachedUserPolicies"
    "iam:ListAttachedGroupPolicies"
    "iam:GetPolicy",
    "iam:GetPolicyVersion",
    "iam:ListUserPolicies"
    "iam:ListGroupPolicies"
    "iam:ListAccountAliases",

    If there are inline policies attached to the user, then include the following permission:

    "iam:GetUserPolicy"

    If there are inline policies attached to the user group, then include the following permission:

    "iam:GetGroupPolicy"
  3. In the source account, create a new IAM policy that allows the "sts:AssumeRole" action on all role ARNs created in Step 1.

    IMPORTANT: The following example is provided as an example.
    {
       "Version": "2012-10-17",
       "Statement": {  
         "Effect": "Allow",
         "Action": "sts:AssumeRole",
         "Resource": [  
    	"arn:aws:iam::123456789012:role/FM-Role-target-account"  
    	]  
         }  
    }

    Note:  In this example, 123456789012 is a target account and FM-Role-target-account is the role in the target account configured in step 1 with permissions required for GigaVUE-FM.

  4. In the source account, attach the policies created in steps 2 and 3 to the IAM role that is attached to the GigaVUE-FM instance.