IAM Setup Guide

CloudAtlas needs two IAM roles: one in the management account (its identity) and one in every child account (read-only inventory access).

Loading templates from your configuration…

Choose your scenario β€” pick one

OR

What you'll do:

1. Create root role in mgmt account2. Create inventory role in child accounts3. Configure CloudAtlas

Part 1 β€” Management Account Role

Create CloudAtlasRootRole in account MANAGEMENT_ACCOUNT_ID. This is the role CloudAtlas assumes as its identity.

1

Trust policy

Choose one

Who will be assuming this role? Select based on how CloudAtlas is deployed:

OR
Trust Policy (EC2/ECS) β€” root-trust.json
{
  "Version": "2012-10-17",
  "Statement": []
}
2

Permission policy

Permission Policy β€” CloudAtlasRootPolicy.json
{
  "Version": "2012-10-17",
  "Statement": []
}

Also attach managed policy arn:aws:iam::aws:policy/ReadOnlyAccess so CloudAtlas can scan the management account's own resources.

3

Create the role via AWS CLI

AWS CLI β€” run in management account
# 1. Save the trust policy
cat > /tmp/root-trust.json << 'EOF'
{
  "Version": "2012-10-17",
  "Statement": []
}
EOF

# 2. Save the permission policy
cat > /tmp/root-policy.json << 'EOF'
{
  "Version": "2012-10-17",
  "Statement": []
}
EOF

# 3. Create the role
aws iam create-role \
  --role-name CloudAtlasRootRole \
  --assume-role-policy-document file:///tmp/root-trust.json \
  --description "CloudAtlas management account identity role"

# 4. Attach custom permission policy
aws iam create-policy \
  --policy-name CloudAtlasRootPolicy \
  --policy-document file:///tmp/root-policy.json

aws iam attach-role-policy \
  --role-name CloudAtlasRootRole \
  --policy-arn arn:aws:iam::MANAGEMENT_ACCOUNT_ID:policy/CloudAtlasRootPolicy

# 5. Attach ReadOnlyAccess (for scanning management account itself)
aws iam attach-role-policy \
  --role-name CloudAtlasRootRole \
  --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess

Part 2 β€” Child Account Inventory Role

Create CloudAtlasInventoryRole in every child account. It has ReadOnlyAccess and trusts the management account to assume it.

1

Trust policy

Trust Policy β€” inventory-trust.json
{
  "Version": "2012-10-17",
  "Statement": []
}
2

Create the role in child accounts

Choose one

Pick the deployment method that fits your setup:

OR

Run this in each child account (switch AWS profiles/credentials per account):

AWS CLI β€” run in each child account
# Run once per child account

# 1. Save the trust policy
cat > /tmp/inventory-trust.json << 'EOF'
{
  "Version": "2012-10-17",
  "Statement": []
}
EOF

# 2. Create the inventory role
aws iam create-role \
  --role-name CloudAtlasInventoryRole \
  --assume-role-policy-document file:///tmp/inventory-trust.json \
  --description "CloudAtlas read-only inventory role"

# 3. Attach ReadOnlyAccess
aws iam attach-role-policy \
  --role-name CloudAtlasInventoryRole \
  --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess

Part 3 β€” Configure CloudAtlas

Once roles exist, point CloudAtlas at them via the Settings page or .env.

Settings page or .env
ROOT_ROLE_ARN=arn:aws:iam::MANAGEMENT_ACCOUNT_ID:role/CloudAtlasRootRole
CROSS_ACCOUNT_ROLE=CloudAtlasInventoryRole
INVENTORY_ROLE_NAME=CloudAtlasInventoryRole
Open Settings

IAM roles at a glance

RoleAccountPoliciesUsed for
CloudAtlasRootRoleMANAGEMENT_ACCOUNT_IDReadOnlyAccess + CloudAtlasRootPolicyCloudAtlas identity
CloudAtlasInventoryRoleAll child accountsReadOnlyAccessPer-account scanning
OrganizationAccountAccessRoleAll child accountsAdministratorAccess (AWS default)Setup only β€” Scenario B