メインコンテンツへスキップ

Link AWS accounts

After connecting AWS accounts to the DoiT platform, to enable advanced functionalities—such as PerfectScale for Spot, real-time anomaly detection, Cloud Diagrams, Composer, Kubernetes Intelligence, and more—on your accounts, you need to create a cross-account AWS IAM Role that grants DoiT permissions to access your AWS environment.

You can link your AWS accounts either via DoiT console or using Terraform.

Required permissions

  • Your DoiT account must have the Manage Settings permission.

  • You must have AWS credentials for the account you want to link, with permission to create IAM resources (roles and policies).

  • Based on the feature to enable, you may need additional permissions. For example, to enable real-time anomaly detection, you also need permission to configure S3 bucket notifications.

Cross-account role

DoiT's CloudFormation stack template deploys a cross-account IAM role that grants the required permissions to DoiT Cloud Intelligence (the IAM role created via the Terraform module is equivalent). The definition of this IAM role consists of the following sections:

  • Three AWS managed policies: See core functionality permissions.

  • Read-only permissions required by other DoiT features in your Cloud Intelligence plan.

  • A trust policy that allows DoiT to assume the cross-account role and securely access your AWS resources.

  • An inline policy:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Action": [
            "iam:List*",
            "iam:Get*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
      ]
    }

    • iam:List*: This permission allows access to IAM actions that begin with List. These are non-mutating actions typically used to view an inventory of IAM resources, such as the names of users, roles, or policies within the account.

    • iam:Get*: This permission allows access to IAM actions that begin with Get. These actions are read-only and are typically used to retrieve configuration metadata for visibility, compliance, and auditing purposes.

    • "Resource": "*": AWS IAM does not support resource-level scoping for almost all iam:List* actions. As IAM is a global service, resource-level scoping for Get actions is often impractical. Using "Resource": "*" is a common pattern for account-wide visibility and is consistent with AWS-recommended partner access patterns.

  • Additional policies that grant the required permissions for the features you choose to enable on the account. See Security and data access policy: Amazon Web Services.

最終更新