Using StackSets to Automate Role and Policy Creation

Last updated on 03 June, 2024

Everything required by AWS Organizational Monitoring Units can be set up using AWS CloudFormation StackSets to automatically apply the necessary roles and policies to your organization member accounts. For details on configuring Organization monitoring, see AWS Organizational Unit Monitoring Setup.

Requirements to Create a Stack Set

To configure roles and permissions for LogicMonitor, activate Trusted Access for your AWS organization. For more information, see Activate trusted access with AWS Organizations from AWS.

Create a single account in LogicMonitor with the necessary roles and policies assigned.

Recommendation: Use your environment’s Organization Root management account for this process. The stack set does not run on that account.

The following details from the account are needed in later steps:

  • Role Name
  • Policy Name
  • Principal account from the Trust Relationship – This is provided by the LM Wizard – 282028653949
  • ExternalId from the Trust Relationship – This is provided by the LM Wizard

You will use these details to create the Stack Set, and therefore the role and policies for all accounts in the organization.

Creating a Stack Set

Note: The following procedure applies after step 6 in AWS Organizational Unit Monitoring Setup. Please follow steps 1-5 in that document before completing this procedure.

Create a stack set in the AWS Management Console for use with LogicMonitor. For full instructions on creating stack sets in AWS CloudFormation, see Create a Stack Set from AWS.

Keep the following details in mind when creating your stack set in AWS:

  • During the stack set creation process, use default settings until you reach the Specify template field. Select Upload a template file and add iam-policy-template_with_gc_support.yaml as the source template.
  • In the Parameters section, enter the LogicMonitor account details you recorded in the earlier section. 
  • Selecting Active as your Execution configuration will speed up deployment of your stack set, but this is optional.
  • Select only one region in Specify region. This should be the same region as your stack set, if possible.

After you create you stack set, you can view the instances for each account on the Stack instances tab in your AWS Management Console

Return to AWS Organizational Unit Monitoring Setup to complete steps 7-19. Select Re-use External Id and select the Root management account you added first on the Permission tab during that process.

In This Article