AWS CloudFormation to Create Groups, Policies and Roles with MFA Enforced
Using AWS CloudFormation we are going to deploy a set of groups, roles, and managed policies that will help with your security “baseline” of your AWS account.
1.1 Create AWS CloudFormation Stack
- Sign in to the AWS Management Console, select your preferred region, and open the CloudFormation console at https://console.aws.amazon.com/cloudformation/.
- Click Create stack.
- Enter the following Amazon S3 URL:
https://s3-us-west-2.amazonaws.com/aws-well-architected-labs/Security/Code/baseline-iam.yaml and click Next.
- Enter the following details:
- Stack name: The name of this stack. For this lab, use
- AllowRegion: A single region to restrict access, enter your preferred region.
- BaselineExportName: The CloudFormation export name prefix used with the resource name for the resources created, for example, Baseline-PrivilegedAdminRole.
- BaselineNamePrefix: The prefix for roles, groups, and policies created by this stack.
- IdentityManagementAccount: (optional) AccountId that contains centralized IAM users and is trusted to assume all roles, or blank for no cross-account trust. Note that the trusted account needs to be appropriately secured.
- OrganizationsRootAccount: (optional) AccountId that is trusted to assume Organizations role, or blank for no cross-account trust. Note that the trusted account needs to be appropriately secured.
- ToolingManagementAccount: AccountId that is trusted to assume the ReadOnly and StackSet roles, or blank for no cross-account trust. Note that the trusted account needs to be appropriately secured.
- At the bottom of the page click Next.
- In this lab, we won’t add any tags or other options. Click Next. Tags, which are key-value pairs, can help you identify your stacks. For more information, see Adding Tags to Your AWS CloudFormation Stack.
- Review the information for the stack. When you’re satisfied with the configuration, check I acknowledge that AWS CloudFormation might create IAM resources with custom names then click Create stack.
- After a few minutes the stack status should change from CREATE_IN_PROGRESS to CREATE_COMPLETE.
- You have now set up a number of managed polices, groups, and roles that you can test to improve your AWS security!