AWS Cross-Account Access Setup Guide

This guide will walk you through the process of setting up cross-account access between your AWS account and the Firetiger AWS account (975050257559). This allows Firetiger to access resources in your AWS account in a secure and controlled manner.

Account Requirements

Dedicated sub-account

Provision a standalone AWS sub-account in your AWS Organization for Firetiger. This account should not host unrelated workloads.

No out-of-band modifications

After granting Firetiger the deployment role, avoid modifying account-wide settings or Firetiger-managed resources without coordination. Contact your Firetiger Solutions Engineer to discuss changes.

Baseline settings

  • AWS CloudTrail enabled for management events across all regions

Creating Your AWS Account

Follow this link to create an account on the AWS console:

https://us-east-1.console.aws.amazon.com/organizations/v2/home/accounts

Click “Add an AWS account”, then follow the steps to create a new account to deploy Firetiger in:

Setting Up Cross-Account Access

We’ve created a CloudFormation template to automatically provision the required permissions in your AWS account.

Step 1: Save the following as firetiger-bootstrap.json:

{
  "Resources": {
    "CrossAccountAccessForFiretiger": {
      "Type": "AWS::IAM::Role",
      "DeletionPolicy": "Retain",
      "Properties": {
        "RoleName": "CrossAccountAccessForFiretiger",
        "Description": "Allows full administrative access from the Firetiger account",
        "ManagedPolicyArns": ["arn:aws:iam::aws:policy/AdministratorAccess"],
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "AWS": ["arn:aws:iam::975050257559:root"]
              },
              "Action": ["sts:AssumeRole"]
            }
          ]
        }
      }
    }
  },
  "Outputs": {
    "RoleARN": {
      "Description": "ARN of the CrossAccountAccessForFiretiger role",
      "Value": {
        "Fn::GetAtt": ["CrossAccountAccessForFiretiger", "Arn"]
      }
    }
  }
}

Step 2: Apply the CloudFormation template:

aws cloudformation create-stack --stack-name firetiger-bootstrap \
  --template-body file://firetiger-bootstrap.json \
  --capabilities CAPABILITY_NAMED_IAM

Step 3: Wait for the stack to complete:

aws cloudformation wait stack-create-complete --stack-name firetiger-bootstrap

Step 4: Retrieve the Role ARN:

aws cloudformation describe-stacks --stack-name firetiger-bootstrap \
  --query 'Stacks[0].Outputs[?OutputKey==`RoleARN`].OutputValue' \
  --output text

Share this Role ARN with your Firetiger Solutions Engineer to complete the setup.

What Firetiger will use this role for

For your information, here’s what we’ll set up on our account (975050257559) to make this work:

  1. Create an IAM policy that allows assuming your role
  2. Attach this policy to the appropriate IAM roles in our account
  3. Configure our systems to use these credentials to assume your role

Example of the Firetiger IAM Policy used to assume your role

We create a policy in our account that looks like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Resource": "arn:aws:iam::YOUR_ACCOUNT_ID:role/CrossAccountAccessForFiretiger"
    }
  ]
}

We then attach this policy to a deployment IAM Role used to provision resources into your account.

Setting up Anthropic LLM access

Firetiger’s LLM capabilities are built on Anthropic’s foundation models through Amazon Bedrock. You need to explicitly request access to these models for the AWS account that runs Firretiger.

Amazon provides docs on how to do this. Firetiger currently needs access to Anthropic’s Claude Sonnet 4.5 and Haiku 3.5 models in global (cross-region) routing mode.

When you request access, use your company’s name and website. In the use case field, write: “LLM access for Firetiger AI products.”

Access Policy

The following principles govern how Firetiger employees access your AWS account under the Managed BYOC model:

  1. Purpose of the role: The deployment role is used by Firetiger automation to deploy and operate Firetiger resources in your account.
  2. Account ownership: Your AWS account is owned and managed by you, the customer. Firetiger does not take ownership of your account.
  3. Consent: Firetiger employees may assume the deployment role only with explicit customer consent for the specific access window and purpose.
  4. Authentication and authorization: Firetiger employee access to AWS resources is managed via AWS SSO, with enforced multi‑factor authentication for all logins.
  5. Auditability: All account activity is auditable via AWS CloudTrail. CloudTrail should be enabled by default for new AWS Accounts. The customer is responsible for configuring it to meet organizational requirements.

For more details on Firetiger’s Access Policy and other controls, please visit https://trust.firetiger.com or contact us

This site uses Just the Docs, a documentation theme for Jekyll.