## Prerequisites 1. Configuration profiles are configured for "parent" and "child" ``` aws configure --profile parent aws configure --profile child ``` 2. CloudFormation template (main.template) is uploaded to S3 bucket 3. Bucket Policy on S3 bucket containing CloudFormation templates allows s3:GetObject permissions to child account. For example: ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws-us-gov:iam:::root" }, "Action": "s3:Get*", "Resource": "arn:aws-us-gov:s3:::/*" } ] } ``` ## Test Steps ### 1. Create a role for Systems Manager in the parent account Usage ``` aws cloudformation create-stack --stack-name --template-body file://AWS-SystemManager-AutomationAdministrationRole.json --capabilities CAPABILITY_NAMED_IAM --profile parent ``` Example ``` aws cloudformation create-stack --stack-name systems-manager-role --template-body file://AWS-SystemManager-AutomationAdministrationRole.json --capabilities CAPABILITY_NAMED_IAM --profile parent ``` ### 2. Allow the parent account access to the child account Usage ``` aws cloudformation create-stack --stack-name --template-body file://allow-parent-access.json --parameters ParameterKey=pParentAccountNumber,ParameterValue= --capabilities CAPABILITY_NAMED_IAM --profile child ``` Example ``` aws cloudformation create-stack --stack-name allow-parent-access --template-body file://allow-parent-access.json --parameters ParameterKey=pParentAccountNumber,ParameterValue=123456789012 --capabilities CAPABILITY_NAMED_IAM --profile child ``` ### 3. Create the Systems Manager Automation Document in the parent account Usage ``` aws ssm create-document --content file://ssm-document-create-child-vpc.json --name --document-type Automation --profile parent ``` Example ``` aws ssm create-document --content file://ssm-document-create-child-vpc.json --name create-child-vpc --document-type Automation --profile parent ``` ### 4. Find an AMI in the child account Usage ``` aws ssm get-parameters --names /aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2 --region --query Parameters[0].[Value] --profile ``` Example ``` aws ssm get-parameters --names /aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2 --region us-gov-west-1 --query Parameters[0].[Value] --profile child [ "ami-6aa7db0b" ] ``` ### 5. Create a tagged EC2 instance from the AMI found in step 4 Usage ``` aws ec2 run-instances --image-id --count 1 --instance-type --tag-specifications ResourceType=instance,Tags=[{Key=,Value=}] --profile ``` Example ``` aws ec2 run-instances --image-id ami-6aa7db0b --count 1 --instance-type m4.large --tag-specifications ResourceType=instance,Tags=[{Key=MyKey,Value=MyValue}] --profile child ``` ### 6. Start the execution of the Automation document in the parent account Usage ``` aws ssm start-automation-execution --document-name create-child-vpc --targets Key=tag:,Values= --target-parameter-name Dummy --target-locations Accounts=,Regions= --parameters pS3Bucket=,pVpcName=,pVpcCidr=,pS3KeyPrefix= --profile ``` Example ``` aws ssm start-automation-execution --document-name create-child-vpc --targets Key=tag:MyKey,Values=MyValue --target-parameter-name Dummy --target-locations Accounts=123456789012,Regions=us-gov-west-1 --parameters pS3Bucket=my-continuous-monitoring-bucket,pVpcName=production,pVpcCidr='10.0.0.0/24',pS3KeyPrefix='multi-account-automation-document/' --profile parent ``` ### 7. Confirm a new VPC is created in the child account