The connector uses the AWS Java SDK 2. To run the connector the 'AWSOrganizationsReadOnlyAccess' policy or similar with required permissions is required. The required permissions are 'organizations:Describe', 'organizations:List', and 'account:GetAlternateContact'.
Identity and Access Management
The AWS Identity and Access Management (IAM) feature enables its users to manage access to AWS services and resources under the respective AWS user account. Furthermore, it allows users to set the interconnection between AWS accounts. IAM includes four major areas/components:
•Users: AWS accounts
•Groups: A collection of user accounts under one set of permissions
•Roles: A role can be created and assigned to AWS resources
•Policies: A document that defines one or more permissions
Use the Management Console to access the IAM login to the AWS account. After the login select IAM under the Security, Identity, & Complicance category of the AWS Service list.
Once the IAM dashboard is loaded select the Users from the IAM resources.
To add a new role, navigate back to the IAM console, select Roles, and click on the Create new button.
Attach the following managed policy to the role:
•AWSOrganizationsReadOnlyAccess
Edit the Trust Relationship to point to the parent user account.
Copy the Role ARN for the next step.
Assign User Account to the Role
At this step, assign the permission to use AssumeRole to the user account created in the first step. AssumeRole is an action available under the AWS Security Token service that returns a set of temporary security credentials that can be used to access the AWS resources. These temporary credentials consist of an access key ID, a secret access key, and a security token.
To assign the permission navigate back to IAM > Users. Select the user created in the previous step. Once selected click on the Add permissions button located in the Permissions tab. This will open the Grant permissions page.