You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: examples/organizational/README.md
+6-4Lines changed: 6 additions & 4 deletions
Original file line number
Diff line number
Diff line change
@@ -19,11 +19,13 @@ Minimum requirements:
19
19
1. Have an existing AWS account as the organization management account
20
20
* Organizational CloudTrail service must be enabled
21
21
*[Organizational CloudFormation StackSets](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-enable-trusted-access.html) service must be enabled
22
-
1. Configure [Terraform **AWS** Provider](https://registry.terraform.io/providers/hashicorp/aws/latest/docs)of the `management` account of the organization
23
-
* This account credentials must be [able to manage cloudtrail creation](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html)
22
+
1. Configure [Terraform **AWS** Provider](https://registry.terraform.io/providers/hashicorp/aws/latest/docs)for the `management` account of the organization
23
+
* This provider credentials must be [able to manage cloudtrail creation](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html)
24
24
> You must be logged in with the management account for the organization to create an organization trail. You must also have sufficient permissions for the IAM user or role in the management account to successfully create an organization trail.
25
-
* When an account becomes part of an organization, AWS will create an `OrganizationAccountAccessRole`[for account management](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html), which Sysdig Secure for Cloud will use for member-account provisioning and role assuming.
26
-
<br/>This Role name is currently hardcoded.
25
+
* When an account is created within an organization, AWS will create an `OrganizationAccountAccessRole`[for account management](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html), which Sysdig Secure for Cloud will use for member-account provisioning and role assuming.
26
+
* However, when the account is invited into the organization, it's required to [create the role manually](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html#orgs_manage_accounts_create-cross-account-role)
27
+
> You have to do this manually, as shown in the following procedure. This essentially duplicates the role automatically set up for created accounts. We recommend that you use the same name, OrganizationAccountAccessRole, for your manually created roles for consistency and ease of remembering.
28
+
* This role name, `OrganizationAccountAccessRole`, is currently hardcoded on the module.
27
29
3. Provide a member **account ID for Sysdig Secure for Cloud workload** to be deployed.
28
30
Our recommendation is for this account to be empty, so that deployed resources are not mixed up with your workload.
29
31
This input must be provided as terraform required input value
0 commit comments