Creating cross-account authorizations in Route 53 ARC - Amazon Route 53 Application Recovery Controller
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Creating cross-account authorizations in Route 53 ARC

You might have your resources distributed across multiple Amazon accounts, which can make it challenging to get a comprehensive view of your application’s health. It can also make it hard to get the information required to make quick decisions. To help streamline this for readiness check in Amazon Route 53 Application Recovery Controller, you can use cross-account authorization.

Cross-account authorization in Route 53 ARC works with the readiness check feature. With cross-account authorization, you can use one central Amazon account to monitor your resources that are located in multiple Amazon accounts. In each account that has resources that you want to monitor, you authorize the central account to have access to those resources. Then the central account can create readiness checks for the resources in all the accounts and from the central account, you can monitor readiness for failover.

Note

Cross-account authorization setup isn't available in the console. Instead, use Route 53 ARC API operations to set up and work with cross-account authorization. To help you get started, this section provides Amazon CLI command examples.

Let’s say that an application has an account that has resources in the US West (Oregon) Region (us-west-2), and there's also an account that has resources that you'd like to monitor in the US East (N. Virginia) Region (us-east-1). Route 53 ARC can allow access for you to monitor both sets of resources from one account, us-west-2, by using cross-account authorization.

For example, let's say that you have the following Amazon accounts:

  • US-West account: 999999999999

  • US-East account: 111111111111

In the us-east-1 account (111111111111), we can enable cross-account authorization to allow access by the us-west-2 account (999999999999) by specifying the Amazon Resource Name (ARN) for the (root) user in the us-west-2 IAM account: arn:aws:iam::999999999999:root. After we create the authorization, the us-west-2 account can add resources owned by us-east-1 to resource sets and create readiness checks to run on the resource sets.

The following example illustrates setting up cross-account authorization for one account. You must enable cross-account authorization in each additional account that has Amazon resources that you want to add and monitor in Route 53 ARC.

Note

Route 53 ARC is a global service that supports endpoints in multiple Amazon Regions but you must specify the US West (Oregon) Region (that is, specify the parameter --region us-west-2) in most Route 53 ARC CLI commands.

The following Amazon CLI command shows how to set up cross-account authorization for this example:

aws route53-recovery-readiness --region us-west-2 --profile profile-in-us-east-1-account \
				create-cross-account-authorization --cross-account-authorization arn:aws:iam::999999999999:root

To disable this authorization, do the following:

aws route53-recovery-readiness --region us-west-2 --profile profile-in-us-east-1-account \
				delete-cross-account-authorization --cross-account-authorization arn:aws:iam::999999999999:root

To check in a specific account for all the accounts that you've provided cross-account authorization for, use the list-cross-account-authorizations command. Note that at this time, you can't check in the other direction. That is, there isn't an API operation that you can use with an account profile to list all of the accounts for which it has been granted cross-account authorization to add and monitor resources.

aws route53-recovery-readiness --region us-west-2 --profile profile-in-us-east-1-account \
				list-cross-account-authorizations
{
    "CrossAccountAuthorizations": [
        "arn:aws:iam::999999999999:root"
    ]
}