Creating cross-account authorizations in ARC - Amazon Application Recovery Controller (ARC)

Creating cross-account authorizations in ARC

You might have your resources distributed across multiple AWS accounts, which can make it challenging to get a comprehensive view of your application’s health. It can also make it hard to get the information required to make quick decisions. To help streamline this for readiness check in Amazon Application Recovery Controller (ARC), you can use cross-account authorization.

Cross-account authorization in ARC works with the readiness check feature. With cross-account authorization, you can use one central AWS account to monitor your resources that are located in multiple AWS accounts. In each account that has resources that you want to monitor, you authorize the central account to have access to those resources. Then the central account can create readiness checks for the resources in all the accounts and from the central account, you can monitor readiness for failover.

Note

Cross-account authorization setup isn't available in the console. Instead, use ARC API operations to set up and work with cross-account authorization. To help you get started, this section provides AWS CLI command examples.

Let’s say that an application has an account that has resources in the US West (Oregon) Region (us-west-2), and there's also an account that has resources that you'd like to monitor in the US East (N. Virginia) Region (us-east-1). ARC can allow access for you to monitor both sets of resources from one account, us-west-2, by using cross-account authorization.

For example, let's say that you have the following AWS accounts:

  • US-West account: 999999999999

  • US-East account: 111111111111

In the us-east-1 account (111111111111), we can enable cross-account authorization to allow access by the us-west-2 account (999999999999) by specifying the Amazon Resource Name (ARN) for the (root) user in the us-west-2 IAM account: arn:aws:iam::999999999999:root. After we create the authorization, the us-west-2 account can add resources owned by us-east-1 to resource sets and create readiness checks to run on the resource sets.

The following example illustrates setting up cross-account authorization for one account. You must enable cross-account authorization in each additional account that has AWS resources that you want to add and monitor in ARC.

Note

ARC is a global service that supports endpoints in multiple AWS Regions but you must specify the US West (Oregon) Region (that is, specify the parameter --region us-west-2) in most ARC CLI commands.

The following AWS CLI command shows how to set up cross-account authorization for this example:

aws route53-recovery-readiness --region us-west-2 --profile profile-in-us-east-1-account \
				create-cross-account-authorization --cross-account-authorization arn:aws:iam::999999999999:root

To disable this authorization, do the following:

aws route53-recovery-readiness --region us-west-2 --profile profile-in-us-east-1-account \
				delete-cross-account-authorization --cross-account-authorization arn:aws:iam::999999999999:root

To check in a specific account for all the accounts that you've provided cross-account authorization for, use the list-cross-account-authorizations command. Note that at this time, you can't check in the other direction. That is, there isn't an API operation that you can use with an account profile to list all of the accounts for which it has been granted cross-account authorization to add and monitor resources.

aws route53-recovery-readiness --region us-west-2 --profile profile-in-us-east-1-account \
				list-cross-account-authorizations
{
    "CrossAccountAuthorizations": [
        "arn:aws:iam::999999999999:root"
    ]
}