stackset: deploy test iam role across multiple accounts and regions

[ThaiTechTales]

Summary

Use AWS CloudFormation StackSets to deploy a reusable IAM Role for testing across multiple AWS accounts and regions. This is useful for validating cross-account access, centralised permission distribution, and IAM auditing strategies.

This hands-on project will demonstrate:

• Creating and deploying StackSets for IAM resources
• Using AWS Organisations and delegated admin
• Safely testing IAM role propagation in real accounts
• Managing StackSet updates and drift detection

---

Goals

• Define a CloudFormation template that creates a test IAM role
• Deploy it across multiple accounts and regions via StackSets
• Use service-managed permissions with AWS Organisations
• Validate role creation, trust policies, and permissions
• Monitor status, detect drift, and apply future updates

---

Phase 1: Prepare IAM Role Template

Tasks

• Create a standalone CloudFormation template (e.g. iam-test-role.yaml)
  • Define an IAM role for testing (e.g. TestCrossAccountRole)
  • Use parameters to customise the role name or trust policy
  • Output the ARN for post-deployment validation
• Example:

Resources:
  TestIAMRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub "StackSetTestRole-${AWS::Region}"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              AWS: "arn:aws:iam::123456789012:root"  # update with trusted account ID
            Action: sts:AssumeRole
      Policies:
        - PolicyName: InlinePermissions
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - s3:ListAllMyBuckets
                  - ec2:DescribeInstances
                Resource: "*"
Outputs:
  RoleArn:
    Value: !GetAtt TestIAMRole.Arn

---

Phase 2: Define StackSet

Tasks

• Choose Service-managed StackSet via AWS Organisations
• Use AWS::CloudFormation::StackSet with:
  • PermissionModel: SERVICE_MANAGED
  • Auto-deploy on new accounts enabled
  • Capabilities: [ CAPABILITY_NAMED_IAM ]
• Reference the S3 template URL:
  • Ensure the IAM role template is uploaded to S3 with versioning
• Enable tags for tracking deployments

---

Phase 3: Target Configuration

Tasks

• Select deployment targets:
  • Org Units (e.g. Root, Dev, Sandbox)
  • Or list specific Account IDs
• Choose regions (e.g. ap-southeast-2, us-west-2)
• Set deployment options:
  • Max concurrent accounts: 10
  • Failure tolerance: 1
• Apply StackSet to targets using IaC or CLI:
  • aws cloudformation create-stack-instances

---

Phase 4: Post-deployment Testing

Tasks

• Confirm IAM role was created in each account and region
• Assume the role from trusted account (e.g. via sts:assume-role)
• Use aws sts assume-role --role-arn ... to verify
• Capture any errors in creation or trust policy mismatches
• Check for CloudFormation success status in each region

---

Phase 5: Maintenance and Drift

Tasks

• Modify the IAM role policy and redeploy the StackSet
• Detect drift:
  • aws cloudformation detect-stack-set-drift
• View and respond to drift results across all stack instances
• Add notification via SNS if deployment fails

---

Notes

• Avoid hardcoding ARNs; use parameters or !Sub
• Use tags for auditability and cost tracking
• Set log retention for CloudTrail to monitor role usage post-deployment
• Store templates under templates/iam/ for organisation

---

Optional Enhancements

Audit Automation

• Trigger Lambda to validate trust relations

Resources

• https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/what-is-cfnstacksets.html