From d8fe11f393812b4c2d77599eb94ee5f6ad139dc9 Mon Sep 17 00:00:00 2001 From: Pepe Fagoaga Date: Tue, 20 Dec 2022 13:01:26 +0100 Subject: [PATCH] docs(AWS-Role): Include section and remove CLI (#1556) Co-authored-by: Sergio Garcia <38561120+sergargar@users.noreply.github.com> --- docs/tutorials/aws/role-assumption.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/tutorials/aws/role-assumption.md b/docs/tutorials/aws/role-assumption.md index e9aeec2b..bc156a66 100644 --- a/docs/tutorials/aws/role-assumption.md +++ b/docs/tutorials/aws/role-assumption.md @@ -6,7 +6,7 @@ However, there are few ways to run Prowler against multiple accounts using IAM A 1. You can just set up your custom profile inside `~/.aws/config` with all needed information about the role to assume then call it with `prowler aws -p/--profile your-custom-profile`. -2. You can use `-R`/`--role ` and Prowler will get those temporary credentials using `aws sts assume-role`, set them up as environment variables and run against that given account. +2. You can use `-R`/`--role ` and Prowler will get those temporary credentials using `Boto3` and run against that given account. ```sh prowler aws -R arn:aws:iam:::role/ ``` @@ -16,8 +16,9 @@ prowler aws -R arn:aws:iam:::role/ prowler aws -T/--session-duration -I/--external-id -R arn:aws:iam:::role/ ``` ->To create a role to assume in multiple accounts easier either as CFN Stack or StackSet, look at [this CloudFormation template](https://github.com/prowler-cloud/prowler/blob/master/permissions/create_role_to_assume_cfn.yaml) and adapt it. +## Create Role +To create a role to be assumed in one or multiple accounts you can use either as CloudFormation Stack or StackSet the following [template](https://github.com/prowler-cloud/prowler/blob/master/permissions/create_role_to_assume_cfn.yaml) and adapt it. > _NOTE 1 about Session Duration_: Depending on the mount of checks you run and the size of your infrastructure, Prowler may require more than 1 hour to finish. Use option `-T ` to allow up to 12h (43200 seconds). To allow more than 1h you need to modify _"Maximum CLI/API session duration"_ for that particular role, read more [here](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session).