Multi-account setup (without AWS Organizations)
If your service's resources span multiple AWS accounts and you are not using AWS Organizations, you need cross-account roles in addition to the invoker role.
Step 1: Create cross-account roles
In each account that contains resources for your service, create a role with:
-
ReadOnlyAccesspolicy attached. -
A trust policy that allows the invoker role to assume it, using an
ExternalIdto prevent confused deputy attacks. Use a uniqueExternalIdvalue per service and account combination:{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:role/AWSResilienceHubAssessmentRole" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "ngrh-my-service-111122223333" } } }] }
Step 2: Grant the invoker role permission to assume cross-account roles
Add an inline policy to your invoker role that allows it to assume the cross-account roles:
{ "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": [ "arn:aws:iam::111122223333:role/NGRHResourceRole", "arn:aws:iam::444455556666:role/NGRHResourceRole" ] }
Step 3: Configure cross-account roles on your service
Specify the cross-account role ARNs and external IDs when creating the service:
aws resiliencehubv2 create-service \ --name "my-service" \ --regions '["us-east-1"]' \ --permission-model '{ "invokerRoleName": "AWSResilienceHubAssessmentRole", "crossAccountRoles": [ { "crossAccountRoleArn": "arn:aws:iam::111122223333:role/NGRHResourceRole", "externalId": "ngrh-my-service-111122223333" }, { "crossAccountRoleArn": "arn:aws:iam::444455556666:role/NGRHResourceRole", "externalId": "ngrh-my-service-444455556666" } ] }'
You can configure up to 5 cross-account role ARNs per service.
