Skip to main content
Skip table of contents

Hybrid Cross account access - Customer Manual

Overview

Accessing customer AWS accounts via SWOBillingCrossAccountRole

To manage your AWS billing and ensure accurate invoicing, we require specific permissions within your AWS payer account. Our standard onboarding process for CMS Essentials for AWS typically utilises Federated Access, providing secure and seamless operations. However, due to certain customer requirements, some accounts are not onboarded through this system. To meet these unique needs while maintaining the high security standards our operations demand, we have approved the deployment of a hybrid solution.

This hybrid approach combines Federated Access with cross-account roles to ensure secure and controlled access. Our billing operations team will log in to a dedicated internal AWS account via Partner Lighthouse Federated Access. From this account, they will assume a role in your AWS payer account with restricted permissions, focusing solely on billing management.

The provided CloudFormation template will create the necessary role within your account, ensuring that only authorised Partner personnel can access the required billing information.

Setup

Deploy the CloudFormation template

  1. Open the AWS Management Console.

  2. Navigate to the CloudFormation service.

  3. Click "Create stack" and select "With new resources (standard)".

  4. Upload the provided CloudFormation template file.

  5. Follow the on-screen instructions to complete the stack creation process.

Deployed resources

  • The template will create an IAM role named SWOBillingCrossAccountRole.

  • This role can only be assumed by the SoftwareOne internal AWS account (account ID: 010526243342). This is ensured by this role’s trust policy.

  • The role grants permissions necessary for billing management, support access, and cost exploration.

Security and Compliance

  • Access to SoftwareOne's internal AWS account is protected by federated access through SoftwareOne's Active Directory.

  • All access is monitored and fully auditable, ensuring compliance and security.

Permissions

We encourage you to review the CloudFormation template to understand the exact resources and permissions it deploys. For your convenience, here is a summary of the permissions granted by the SWOBillingCrossAccountRole:

  • AWS Billing and Cost Management:

    • Managed Policy: arn:aws:iam::aws:policy/job-function/Billing

  • AWS Support Center:

    • Managed Policy: arn:aws:iam::aws:policy/AWSSupportAccess

  • AWS Billing Conductor:

    • Managed Policy: arn:aws:iam::aws:policy/AWSBillingConductorFullAccess

  • Cost Explorer (ce) API Actions:

    • Custom Policy: allowCE

      • Actions: ce:Describe*, ce:List*, ce:Get*

CloudFormation template

  SWOCrossAccountRoleAccess.yaml

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.