Multi-Account / Control Tower

If you're using AWS Organizations (e.g., via Control Tower), follow these steps to give NEBU read-only access to all AWS accounts using a single access key.

Step 1 Create a NEBU IAM User in the Management Account

aws iam create-user --user-name nebu-access

Attach inline permissions for listing accounts and assuming roles:

aws iam put-user-policy \
  --user-name nebu-access \
  --policy-name AllowAssumeRoleAndListAccounts \
  --policy-document '{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": [
          "organizations:ListAccounts",
          "sts:AssumeRole"
        ],
        "Resource": "*"
      }
    ]
  }'

Create access keys:

aws iam create-access-key --user-name nebu-access

Save the AccessKeyId and SecretAccessKey securely.

Step 2 Create the ReadOnly Role in Each Sub-Account

Use the management credentials to log into each member account and run:

aws iam create-role \
  --role-name nebu-readonly-role \
  --assume-role-policy-document '{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Principal": {
          "AWS": "arn:aws:iam::<management-account-id>:user/nebu-access"
        },
        "Action": "sts:AssumeRole"
      }
    ]
  }'

Attach AWS ReadOnlyAccess permissions:

aws iam attach-role-policy \
  --role-name nebu-readonly-role \
  --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess

Replace <management-account-id> with your actual management AWS Account ID.

Step 3 Share Access with NEBU

Provide NEBU with the following:

• Access Key ID

• Secret Access Key

• Confirmation that the nebu-readonly-role has been deployed to all accounts

NEBU will use these to:

• List all accounts using organizations:ListAccounts

• Automatically assume the read-only role in each account

• Analyze infrastructure without needing multiple credentials

---

🔐 Notes

• No need to give NEBU full account access only the necessary minimum

• You can rotate/revoke credentials at any time