Multi-Account / Control Tower
If you're using AWS Organizations (e.g., via Control Tower), follow these steps to give NEBU read-only access to all AWS accounts using a single access key.
Step 1 Create a NEBU IAM User in the Management Account
aws iam create-user --user-name nebu-accessAttach inline permissions for listing accounts and assuming roles:
aws iam put-user-policy \
--user-name nebu-access \
--policy-name AllowAssumeRoleAndListAccounts \
--policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"organizations:ListAccounts",
"sts:AssumeRole"
],
"Resource": "*"
}
]
}'
Create access keys:
aws iam create-access-key --user-name nebu-accessSave the AccessKeyId and SecretAccessKey securely.
Step 2 Create the ReadOnly Role in Each Sub-Account
Use the management credentials to log into each member account and run:
aws iam create-role \
--role-name nebu-readonly-role \
--assume-role-policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<management-account-id>:user/nebu-access"
},
"Action": "sts:AssumeRole"
}
]
}'Attach AWS ReadOnlyAccess permissions:
aws iam attach-role-policy \
--role-name nebu-readonly-role \
--policy-arn arn:aws:iam::aws:policy/ReadOnlyAccessReplace <management-account-id> with your actual management AWS Account ID.
Step 3 Share Access with NEBU
Provide NEBU with the following:
Access Key IDSecret Access KeyConfirmation that the
nebu-readonly-rolehas been deployed to all accounts
NEBU will use these to:
List all accounts using
organizations:ListAccountsAutomatically assume the read-only role in each account
Analyze infrastructure without needing multiple credentials
π Notes
No need to give NEBU full account access only the necessary minimum
You can rotate/revoke credentials at any time
Last updated