Updating an AWS Account Connection Stack
Sometimes we need to update our AWS Connection Stacks. For example, AWS updated their Billing and Cost Management Permissions in January 2023.
You are in complete control of the permissions you grant CloudZero. Neither the automated nor manual Connections can update themselves.
We maintain the Provision Account Open Source repository so you can review all of our permissions. In addition, we publish useful resources, policies and CloudFormation templates, from that repository to S3 for your use. This document covers a few workflows for updating your CloudZero permissions using those resources.
Automated Connections
If you connected to CloudZero using our Automated Connections. You can use these steps to update the cloudzero-connected-account
CloudFormation stack.
Console
- Open the AWS CloudFormation Console in the appropriate AWS Account.
- Select the
cloudzero-connected-account
stack.- If you don't see the stack right away in the list, first uncheck the "View Nested" radio button to the right of the search box and then search for 'cloudzero'.
- Click Update.
- Select Replace current template.
- Paste
https://cz-provision-account.s3.amazonaws.com/latest/services/connected_account.yaml
into the Amazon S3 URL Text Box. - Click Next, Next, and Next (yup, 3 times).
- At the bottom of the screen, check the boxes for CAPABILITIES:
[✅] I acknowledge that AWS CloudFormation might create IAM resources with custom names. [✅] I acknowledge that AWS CloudFormation might require the following capability: CAPABILITY_AUTO_EXPAND
- Click Submit.
CLI
Requirements for this One-Liner
Unfortunately, the AWS CLI
update-stack
command does not have an option to "keep existing Parameters".
Thisbash
snippet will do that for you. It requires these two commands be present in your shell:
aws cloudformation update-stack \
--stack-name cloudzero-connected-account \
--template-url https://cz-provision-account.s3.amazonaws.com/latest/services/connected_account.yaml \
--parameters "$(aws cloudformation describe-stacks --stack-name cloudzero-connected-account | jq '.Stacks[0].Parameters')"
Manual Connections
Console
- Open the IAM Role Console in the appropriate AWS Account.
- Find the Cross Account Role with a trust relationship with CloudZero.
- You can do this by searching your Roles for 'cloudzero'. Select the one with
Trusted entities
containingAccount: 061190967865
. - Click on the role name hyperlink.
- You can do this by searching your Roles for 'cloudzero'. Select the one with
- Update Inline Policy
- On the Permissions tab of the Role page, click on the attached Customer inline policy.
- Click on the JSON tab.
- Copy the contents of the appropriate policy, payer or resource owner, into the text editor.
- Click Review policy.
- Click Save changes.
- Add
AWSBillingReadOnlyAccess
managed policy- On the Permissions tab of the Role page, click on the attached Add permissions button/dropdown and click Attach Policies
- Search for
AWSBillingReadOnlyAccess
. - Check the box to the left of the policy name.
- Click Add permissions
CLI
Requirements for this script
It takes a few commands to find and update roles and their policies.
Thisbash
snippet will do that for you:
# Find roles with Trust Relationships with CloudZero
aws iam list-roles | jq -r -e '.Roles | map(select(.AssumeRolePolicyDocument.Statement[0].Principal.AWS == "arn:aws:iam::061190967865:root")) | map(.RoleName)[] | .'
# For each of the roles from the output of the previous command
aws iam list-role-policies --role-name <role-name> | jq -r -e '.PolicyNames[]'
# Now we have the list of policies to update
# For each role and policy:
aws iam put-role-policy \
--role-name <role-name> \
--policy-name <policy-name> \
--policy-document "$(curl -XGET https://cz-provision-account.s3.amazonaws.com/latest/policies/resource_owner.json)" # change resource_owner.json to master_payer.json if this is a billing account role and policy
# And we attach the AWSBillingReadOnlyAccess managed policy to your role
aws iam attach-role-policy \
--role-name <role-name> \
--policy-arn arn:aws:iam::aws:policy/AWSBillingReadOnlyAccess
Updated 7 months ago