How To - Create CloudCheckr IAM Policy for Cross-Account Access

Before you proceed please make sure you have CloudCheckr credentials and you are able to see your accounts upon logging in to the CloudCheckr web application.

Once you have logged into CloudCheckr click on the AWS account number you wish to sync. You should see a screen similar to this:



Follow the link to set up your credentials.  At the next page you will want to choose the "Use a Role for Cross-Account Access" and toggle the "Manual vs Cloudformation" button.  You should see the following:


Make note of the Account ID and the External ID.  You will need this in the near future.

In a new tab log into your AWS account and navigate to the IAM Console.

Go to Roles>Create New Role.  Here we will be creating a Cross Account Access role for 3rd parties as seen below:


Input the Account ID and External ID that was noted from CloudCheckr and go to Next:Permissions.

At the Permissions section Create a new Policy (this should open a new browser tab).  Choose the JSON tab and input the contents of the text file attached to the bottom of this article titled "CC Role Policy". Proceed to the Review policy section.  For a fully managed policy through AWS that will cover future services you can use the ReadOnlyAll policy provided by AWS.

At the review policy section Name the policy "CloudCheckr-Read-Only".  The description is as follows "Provides Cloudcheckr Read and List privileges for all resources for billing data and usage".  Create the Policy.

Click on your previous tab and refresh the page to the right of "Create Policy". Search for CloudCheckr and apply the newly created policy to your IAM Role. Proceed to review for the role.

At the review Role section Name the policy "CloudCheckr".  The description is as follows "Role that gives CloudCheckr ability to scan account for billing and utilization details".  Create the Role.

Find the newly created role and click on it.  Copy the Role ARN.  Paste the Role ARN into CloudCheckr at the page you left off and hit update.

It may take a few hours for Cloudcheckr to complete its initial scan of the account.


Was this article helpful?
4 out of 5 found this helpful
Have more questions? Submit a request


Article is closed for comments.
Powered by Zendesk