Q-Bits: Configuring Cross-Account Access with Amazon Q Developer
Implement secure multi-account strategies with cross-account access. Amazon Q Developer generates IAM role trust relationships, explains assume role operations, demonstrates integration with AWS Organizations, and provides CLI examples for managing cross-account permissions.
Marco Frattallone
Amazon Employee
Published Feb 26, 2025
Welcome to another installment of Q-Bits, our regular series showcasing cool ways Amazon employees are leveraging Amazon Q Developer. Today, we're diving into how Q Developer can assist with Configuring Cross-Account Access.
AWS Diagnostic Tools is a specialized service exclusively available to AWS Partners participating in the Partner-Led Support program, providing support engineers with a suite of over 50 context-aware tools to diagnose issues across 22 different AWS services. The service enables partners to perform read-only diagnostic operations on their customers' AWS accounts without requiring direct console access, offering a secure and streamlined approach to troubleshooting. Through these tools, support engineers can access necessary service metadata, view cross-region information, and link diagnostic activities to specific support cases using robust tagging features. The service covers various AWS service categories including compute, databases, networking, security, and application integration, while maintaining security through role-based access control and integration with AWS Organization for efficient multi-account management.
AWSPartnerLedSupportReadOnlyAccess is an AWS managed policy designed to provide partners in the AWS Partner-Led Support Program with read-only access to service metadata across numerous AWS services in their customers' accounts. This policy grants essential permissions for troubleshooting technical support cases while maintaining security by limiting access to read-only operations. The policy is specifically crafted to enable support engineers to diagnose issues and provide technical assistance while ensuring they cannot make changes to the customer's infrastructure or configurations.
I wanted to test Diagnostic Tools and AWSPartnerLedSupportReadOnlyAccess so I asked Amazon Q Developer to implament a secure multi-account strategy across my Organization.
I started by asking Amazon Q Developer Chat in my IDE to following prompt:
Q Developer provided the following response:
Now I want to deploy this CloudFormation Stack with StackSets in every linked account of my Organization.
I asked Q:
Q Developer provided the following response:
Following the above instructions I have been able implement cross-account access to Diagnostic Tools in all AWS Organization Accounts.
In this Q-Bits article, we've explored how Amazon Q Developer can significantly streamline the implementation of cross-account access patterns within AWS Organizations. Through practical examples, we demonstrated how Q Developer can generate comprehensive CloudFormation templates that establish secure IAM roles with appropriate permissions, trust relationships, and necessary policies for Partner-Led Support access. The combination of CloudFormation StackSets and AWS Organizations enabled efficient deployment across multiple accounts while maintaining consistent security controls. This showcase illustrates how Amazon Q Developer serves as a powerful ally in implementing complex multi-account strategies, reducing the time and effort required to set up secure cross-account access patterns while ensuring adherence to AWS best practices.
Any opinions in this post are those of the individual author and may not reflect the opinions of AWS.