AWS CloudFormation to Create Groups, Policies and Roles with MFA Enforced

Using AWS CloudFormation we are going to deploy a set of groups, roles, and managed policies that will help with your security “baseline” of your AWS account.

1.1 Create AWS CloudFormation Stack

  1. Sign in to the AWS Management Console, select your preferred region, and open the CloudFormation console at https://console.aws.amazon.com/cloudformation/.
  2. Click Create stack.

cloudformation-createstack-1

  1. Enter the following Amazon S3 URL: https://s3-us-west-2.amazonaws.com/aws-well-architected-labs/Security/Code/baseline-iam.yaml and click Next.

cloudformation-createstack-s3

  1. Enter the following details:
  • Stack name: The name of this stack. For this lab, use baseline-iam.
  • AllowRegion: A single region to restrict access, enter your preferred region.
  • BaselineExportName: The CloudFormation export name prefix used with the resource name for the resources created, for example, Baseline-PrivilegedAdminRole.
  • BaselineNamePrefix: The prefix for roles, groups, and policies created by this stack.
  • IdentityManagementAccount: (optional) AccountId that contains centralized IAM users and is trusted to assume all roles, or blank for no cross-account trust. Note that the trusted account needs to be appropriately secured.
  • OrganizationsRootAccount: (optional) AccountId that is trusted to assume Organizations role, or blank for no cross-account trust. Note that the trusted account needs to be appropriately secured.
  • ToolingManagementAccount: AccountId that is trusted to assume the ReadOnly and StackSet roles, or blank for no cross-account trust. Note that the trusted account needs to be appropriately secured.
  1. At the bottom of the page click Next.
  2. In this lab, we won’t add any tags or other options. Click Next. Tags, which are key-value pairs, can help you identify your stacks. For more information, see Adding Tags to Your AWS CloudFormation Stack.
  3. Review the information for the stack. When you’re satisfied with the configuration, check I acknowledge that AWS CloudFormation might create IAM resources with custom names then click Create stack.

cloudformation-createstack-final

  1. After a few minutes the stack status should change from CREATE_IN_PROGRESS to CREATE_COMPLETE.
  2. You have now set up a number of managed polices, groups, and roles that you can test to improve your AWS security!