The AWS Cloud Formation template creates a cross-account role that has both a unique
external ID and a policy that allows Workload Security to access your AWS resources.
To accomplish this, the template first creates a temporary role with the necessary
Workload Security permissions. Using this role, it starts Lambda functions that perform
the following actions:
Procedure
- Creates the cross-account role for Workload Security.
- Obtains the Amazon Resource Name (ARN) of the cross-account role.
- Sends the ARN to the Workload Security API.
What to do next
The Lambda functions cannot delete the original temporary role: after your AWS account
has been added to Workload Security, you must remove it by deleting the Cloud Formation
stack.
For more details, you can view the content of the Cloud Formation template directly
in AWS by editing it during the template selection process.