Appendix E: Deploy a Cross-Account IAM role in AWS Member Accounts - AWS Trusted Advisor Explorer

Appendix E: Deploy a Cross-Account IAM role in AWS Member Accounts

This appendix is applicable for customer who do not have a cross-account role that trusts the Primary (Master) account in all of the member accounts. In such cases, deploy the following template in all member accounts.

Use this template to launch the cross-account role. The default configuration deploys an AWS Identity and Access Management (IAM) role that trusts the Primary account. A Primary account is the AWS account you use to create your organization and is the account in which the aws-trusted-advisor-explorer solution stack will be deployed. You can also customize the template based on your specific needs.


If you have an IAM role in your member account that trusts the payer account, you can reuse that role. You may need to adjust permissions associated to that role to include AWS managed AWSSupportAccess and ResourceGroupsandTagEditorReadOnlyAccess permissions policies.

  1. Sign in to the AWS Management Console and launch the cross-account-member-role AWS CloudFormation template.

    You can also download the template as a starting point for your own implementation.

  2. The template launches in the US East (N. Virginia) Region by default.

  3. On the Create stack page, verify that the correct template URL shows in the Amazon S3 URL text box and choose Next.

  4. On the Specify stack details page, assign a name to your solution stack.

  5. Under Parameters, review the parameters for the template and modify them as necessary. This solution uses the following default values.

    Parameter Default Description
    MasterAccountNumber <Requires input>

    12-digit account id of the Primary (Master) account where you will deploy the solution.

    CrossAccountRoleName <Requires input>

    Name of the IAM member Role. This name must be consistent across all the member accounts.

  6. Choose Next.

  7. On the Configure stack options page, choose Next.

  8. On the Review page, review and confirm the settings. Be sure to check the box acknowledging that the template will create AWS Identity and Access Management (IAM) resources.

  9. Choose Create stack to deploy the stack.

    You can view the status of the stack in the AWS CloudFormation console in the Status column. You should see a status of CREATE_COMPLETE in approximately two minutes.