Transit Network VPC (Cisco CSR)
Transit Network VPC (Cisco CSR)

Appendix C: Configuring Permissions for Additional AWS Accounts

Each AWS account that you connect to the transit network requires access to the Amazon S3 bucket where configuration data is stored, as well as authorization to use the AWS Key Management Service (AWS KMS) customer master key for encrypting and decrypting transit VPC configuration files.

This solution automatically configures the necessary permissions for one additional account, using the account ID that you specify in the Additional AWS Account ID parameter in Step 2. If you want to add other AWS accounts (or you did not specify an additional AWS account ID when initially launching the AWS CloudFormation template in the primary account), you must complete the following steps to manually update the Amazon S3 bucket and AWS KMS policies to grant access to those accounts.

  1. Note the account IDs for all AWS accounts you want to add to the transit VPC network.

  2. Log in to the AWS Management Console of the primary account (where you launched the transit VPC).

  3. Go to the Amazon S3 console and choose the bucket that was created when you launched the solution. (The bucket name shows in the Output tab of the AWS CloudFormation stack.)

  4. Choose Properties, and under Permissions choose Edit bucket policy.

  5. Add a new line (shown in bold font in the following code block) for each additional AWS account. If you connected one additional account, it should already have its own line.

    { "Version": "2008-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::<account-1-ID>:root", "arn:aws:iam::<account-2-ID>:root" ] }, "Action": [ "s3:GetObject", "s3:PutObject", "s3:PutObjectAcl" ], "Resource": "arn:aws:s3:::<S3 bucket name>/<bucket prefix>/*" } ] }
  6. Go to the AWS Identity and Access Management (IAM) console, and in the left navigation pane, choose Encryption Keys.

  7. Choose the encryption key for this solution (You will see “Transit VPC” in the key description), and in the Key Policy section, choose Switch to policy view.

  8. In the list of roles allowed to use the master key, add a new line (shown in bold font in the following code block) for each additional account ID.

    { "Sid": "Allow use of the key", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam:: <transit-vpc-primary-account-id>:role/TransitVPC-TransitVpcPollerRole-[cloudformation-id]", "arn:aws:iam:: <transit-vpc-primary-account-id>:role/TransitVPC-CiscoConfigFunctionRole-[cloudformation-id]", "arn:aws:iam:: <transit-vpc-primary-account-id>:role/TransitVPC-LambdaLoaderRole-[cloudformation-id]", "arn:aws:iam::<account-1-id>:root", "arn:aws:iam::<account-2-id>:root" ] },

After you configure permissions for each AWS account that you want to add to the network, complete Step 3 to tag applicable spoke VPC and Step 4 to launch the VGW Poller in those accounts.