Create a Primary and Linked Account Policy

You must create a primary account policy for the primary amazon web service (AWS) account and a linked account policy for all the linked AWS accounts. You can use these policies to manage access in AWS.

You can attach the AWS policy to an IAM identity such as Users or Roles. For more information, see Policies and Permissions.

Procedure

In the AWS console, go to IAM > Policies > Create policy.
In the Create policy page, click the JSON tab.

In the JSON text box, enter a policy

Option	Description
Add a primary account policy Note: You must add the primary account policy in the primary AWS account.	{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:ListAccountAliases" ], "Resource": [ "" ] }, { "Effect": "Allow", "Action": [ "ec2:Describe" ], "Resource": "" }, { "Action": [ "logs:Describe", "logs:Get", "logs:TestMetricFilter", "logs:FilterLogEvents" ], "Effect": "Allow", "Resource": "" }, { "Effect": "Allow", "Action": [ "organizations:ListAccounts" ], "Resource": "*" }, { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "<Role ARNs>" } ] }
Add a linked account Note: You must add the linked account policy in all the linked accounts that are added in the primary AWS account.	{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:ListAccountAliases" ], "Resource": [ "" ] }, { "Effect": "Allow", "Action": [ "ec2:Describe" ], "Resource": "" }, { "Action": [ "logs:Describe", "logs:Get", "logs:TestMetricFilter", "logs:FilterLogEvents" ], "Effect": "Allow", "Resource": "" } ] }

Option

Description

Add a primary account policy

Note: You must add the primary account policy in the primary AWS account.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:ListAccountAliases"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:Describe*"
            ],
            "Resource": "*"
        },
        {
            "Action": [
                "logs:Describe*",
                "logs:Get*",
                "logs:TestMetricFilter",
                "logs:FilterLogEvents"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "organizations:ListAccounts"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "<Role ARNs>"
        }
    ]
}

Add a linked account

Note: You must add the linked account policy in all the linked accounts that are added in the primary AWS account.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:ListAccountAliases"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:Describe*"
            ],
            "Resource": "*"
        },
        {
            "Action": [
                "logs:Describe*",
                "logs:Get*",
                "logs:TestMetricFilter",
                "logs:FilterLogEvents"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

Click Review policy.
Under the Review policy section, enter a policy name and click Create policy.

What to do next

Log in to all the Linked Accounts one by one, and add a role to trust the Primary AWS Account that you want to add to vRealize Network Insight, and attach the linked account policy. To create a role and attach the linked account policy, see Create a Role in AWS.

Note: If a role created in all the linked accounts already includes the standard policy permissions and trusts the primary account, skip this step.