I have an AWS Lambda which is querying EC2 instances in my account, I'll call it account A and its working fine, I can see its finding my servers. I also want the lambda to query EC2 instances in another AWS account at the same time, I'll call that account B - is that possible?
I've got the following policy to allow the lambda to assume the role in account B but it only queried the same servers - all in account A - I'm just wondering if I am missing something?
Here is my policy which I've attached to the lambda role:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Assume Role",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::AccountB:role/MyRoleNameInAccountB"
},
{
"Effect": "Allow",
"Action": "ec2:DescribeInstances",
"Resource": "*"
}
]
}
Thanks
CodePudding user response:
For the Lambda to be able to assume a role in a AccountB
, the role in AccountB
has to have a trust policy which needs to allow the Lambda to assume the role.
Also, the role in AccountB
has to have the policy which allows the Lambda to describe EC2 instances. AccountB
should be the entity which allows actions inside itself, not the other way around, for obvious security reasons.
Recommend checking out this AWS support page.