Hybrid Cross account access - Customer Manual
Overview
Accessing customer AWS accounts via SWOBillingCrossAccountRole
To manage your AWS billing and ensure accurate invoicing, we require specific permissions within your AWS payer account. Our standard onboarding process for CMS Essentials for AWS typically utilises Federated Access, providing secure and seamless operations. However, due to certain customer requirements, some accounts are not onboarded through this system. To meet these unique needs while maintaining the high security standards our operations demand, we have approved the deployment of a hybrid solution.
This hybrid approach combines Federated Access with cross-account roles to ensure secure and controlled access. Our billing operations team will log in to a dedicated internal AWS account via Partner Lighthouse Federated Access. From this account, they will assume a role in your AWS payer account with restricted permissions, focusing solely on billing management.
The provided CloudFormation template will create the necessary role within your account, ensuring that only authorised Partner personnel can access the required billing information.
Setup
Deploy the CloudFormation template
Open the AWS Management Console.
Navigate to the CloudFormation service.
Click "Create stack" and select "With new resources (standard)".
Upload the provided CloudFormation template file.
Follow the on-screen instructions to complete the stack creation process.
Deployed resources
The template will create an IAM role named
SWOBillingCrossAccountRole
.This role can only be assumed by the SoftwareOne internal AWS account (account ID: 010526243342). This is ensured by this role’s trust policy.
The role grants permissions necessary for billing management, support access, and cost exploration.
Security and Compliance
Access to SoftwareOne's internal AWS account is protected by federated access through SoftwareOne's Active Directory.
All access is monitored and fully auditable, ensuring compliance and security.
Permissions
We encourage you to review the CloudFormation template to understand the exact resources and permissions it deploys. For your convenience, here is a summary of the permissions granted by the SWOBillingCrossAccountRole
:
AWS Billing and Cost Management:
Managed Policy:
arn:aws:iam::aws:policy/job-function/Billing
AWS Support Center:
Managed Policy:
arn:aws:iam::aws:policy/AWSSupportAccess
AWS Billing Conductor:
Managed Policy:
arn:aws:iam::aws:policy/AWSBillingConductorFullAccess
Cost Explorer (ce) API Actions:
Custom Policy:
allowCE
Actions:
ce:Describe*
,ce:List*
,ce:Get*
CloudFormation template
SWOCrossAccountRoleAccess.yaml