AWS Cloud Discovery Setup – Use Case Guide with CloudFormation TemplatesSummary: This document guides you through selecting the appropriate AWS Cloud Discovery setup based on your architecture and executing the correct CloudFormation Templates (CFTs) with the required parameters. 📥 Download AWS CloudFormation Templates (CFTs) These scripts automate the AWS setup required to run Cloud Discovery according to your specific architecture. ⬇️ Download Setup Scripts How to Deploy CFTs on AWS: Option 1: Using CloudFormation Stack (Single Account) Use this if you are deploying a CFT in a single AWS account (e.g., setting up a role or IAM user in an accessor, management, or member account). Steps: Login to the AWS Console as an admin user (or a user with required CloudFormation and IAM permissions).Go to CloudFormation > Stacks in the AWS Console.Click “Create stack” → “With new resources (standard)”.Choose the template (upload a .yaml file or provide an S3 URL).Click Next and fill in the parameters as per your selected use case.Configure options (tags, IAM role if needed), then click Next.Review the stack configuration, acknowledge IAM capabilities, and click “Create stack”.Wait for the stack status to change to CREATE_COMPLETE. Option 2: Using CloudFormation StackSets (Multiple Accounts/Regions) Use this to roll out templates across multiple accounts (e.g., to create discovery roles in all member accounts). Steps: Login to the AWS Console as an admin user in the management account (or a user with cloudformation:*, organizations:*, and iam:PassRole permissions).Go to CloudFormation > StackSets.Click “Create StackSet” and choose your template (upload or S3 URL).Enter a StackSet name and fill in required parameters.Set deployment targets: Either AWS Organization Units (OUs), orIndividual Account IDs Select regions to deploy the stack in.Choose permissions model: Service-managed (recommended for AWS Organizations), orSelf-managed Click Submit to deploy.Monitor the deployment status in the Stack instances tab until all stacks show CURRENT. Example Deployment Mapping : Template File Deploy In Method Purpose CreateDiscoveryUser.yml Accessor / Management/ Member Account Stack IAM User Creation CreateManagementDiscoveryAccessRole.yml Management Account Stack Management Role Setup CreateSnowAwsCloudDiscoveryPatternsRoleInMemberAccount.yml Member Accounts StackSet Member Role Creation EC2InstanceRole.yml Accessor / Management / Member EC2 Account Stack EC2 Role Setup Setup Flow Chart : Use Cases and Execution Flow: 1. IAM User → Member (Same Account) Use When: You have a standalone AWS account and want to discover resources within the same account. CFTs to Run: CreateDiscoveryUser.yml Execution Order: Run CreateDiscoveryUser.yml in member account Parameters: CreateDiscoveryUser.yml SingleAccountSetup = true IAMUserName = SnowAwsDiscoveryUserIsDiscoveryStartFromAccessor=falseIsRoleChainDiscovery=false How It Works: An IAM user is created with managed policies needed for discovery within a single account. No role assumption is required. This is the simplest setup for sandbox or standalone usage. 2. IAM User (Management) → Member Use When: An IAM user in a management account needs to discover resources from management account and from multiple member accounts. CFTs to Run: CreateDiscoveryUser.yml (management)CreateSnowAwsCloudDiscoveryPatternsRoleInMemberAccount.yml (member) Execution Order: Run CreateDiscoveryUser.yml in management accountRun CreateSnowAwsCloudDiscoveryPatternsRoleInMemberAccount.yml in member account Parameters: CreateDiscoveryUser.yml: SingleAccountSetup = falseIAMUserName=<ServiceNowUserName>MemberDiscoveryRoleName=<MemberDiscoveryRoleName>ManagementDiscoveryRoleName=<ManagementDiscoveryRoleName>IsDiscoveryStartFromAccessor=falseIsRoleChainDiscovery=false CreateSnowAwsCloudDiscoveryPatternsRoleInMemberAccount.yml ManagementRoleName=<ManagementRoleName>MemberDiscoveryRoleName=<MemberDiscoveryRoleName> ManagementOrAccessorAccountId=<ManagementAccountId>ServiceNowUserName=<ServiceNowUserName>Ec2InstanceRoleArn="" How It Works: The IAM user from the management account directly assumes discovery roles in member accounts and access management resource with managed policy attached to the user. No intermediate role required. 3. IAM User (Accessor) → Management → Member Use When: IAM user is in a separate accessor account and needs to discover across both management and member accounts. CFTs to Run: CreateDiscoveryUser.yml (accessor)CreateManagementDiscoveryAccessRole.yml (management)CreateSnowAwsCloudDiscoveryPatternsRoleInMemberAccount.yml (member) Execution Order: Run CreateDiscoveryUser.yml in accessor accountRun CreateManagementDiscoveryAccessRole.yml in management account with trust to accessor userRun CreateSnowAwsCloudDiscoveryPatternsRoleInMemberAccount.yml in member with trust to management role Parameters: CreateDiscoveryUser.yml: SingleAccountSetup = falseIAMUserName=<ServiceNowUserName>MemberDiscoveryRoleName=<MemberDiscoveryRoleName>ManagementDiscoveryRoleName=<ManagementDiscoveryRoleName>IsDiscoveryStartFromAccessor=trueIsRoleChainDiscovery=true CreateManagementDiscoveryAccessRole.yml ManagementRoleName=<ManagementRoleName>MemberDiscoveryRoleName=<MemberDiscoveryRoleName> IsUserCreatedInAccessor=trueAccessorAccountId=<AccessorAccountId>ServiceNowUserName=<ServiceNowUserName>Ec2InstanceRoleArn=""IsRoleChainDiscovery = true CreateSnowAwsCloudDiscoveryPatternsRoleInMemberAccount.yml ManagementRoleName=<ManagementRoleName>MemberDiscoveryRoleName=<MemberDiscoveryRoleName> ManagementOrAccessorAccountId=<ManagementAccountId>ServiceNowUserName=""Ec2InstanceRoleArn="" How It Works: The IAM user in the accessor account first assumes the management role. The management role, in turn, assumes the member role. This chained trust model supports secure and scalable multi-account discovery. 4. IAM User (Accessor) → Management + Member (Direct) Use When: You want to discover both management and member account resources directly using an IAM user in an accessor account. CFTs to Run: CreateDiscoveryUser.yml (accessor)CreateManagementDiscoveryAccessRole.yml (management)CreateSnowAwsCloudDiscoveryPatternsRoleInMemberAccount.yml (member) Execution Order: Run CreateDiscoveryUser.yml in accessor accountRun CreateManagementDiscoveryAccessRole.yml in management accountRun CreateSnowAwsCloudDiscoveryPatternsRoleInMemberAccount.yml in member account Parameters: CreateDiscoveryUser.yml: SingleAccountSetup = falseIAMUserName=<ServiceNowUserName>MemberDiscoveryRoleName=<MemberDiscoveryRoleName>ManagementDiscoveryRoleName=<ManagementDiscoveryRoleName>IsDiscoveryStartFromAccessor=trueIsRoleChainDiscovery=false CreateManagementDiscoveryAccessRole.yml ManagementRoleName=<ManagementRoleName>MemberDiscoveryRoleName=<MemberDiscoveryRoleName> IsUserCreatedInAccessor=trueAccessorAccountId=<AccessorAccountId>ServiceNowUserName=<ServiceNowUserName>Ec2InstanceRoleArn=""IsRoleChainDiscovery = false CreateSnowAwsCloudDiscoveryPatternsRoleInMemberAccount.yml ManagementRoleName=<ManagementRoleName>MemberDiscoveryRoleName=<MemberDiscoveryRoleName> ManagementOrAccessorAccountId=<AccessorAccountId>ServiceNowUserName=<ServiceNowUserName>Ec2InstanceRoleArn="" How It Works: The IAM user first assumes the discovery role in the management account, then the member discovery role. Both roles trust the IAM user. Trust policies in both roles are configured to allow access from the IAM user in the accessor account. 5. EC2 → Member (Same Account) Use When: EC2 instance in a member account performs discovery only in that account. CFTs to Run: EC2InstanceRole.yml (member) Execution Order: Run EC2InstanceRole.yml in member account Parameters: EC2InstanceRole.yml: SingleAccountSetup = trueRoleName=<SnowEc2InstanceDiscoveryRole>IsDiscoveryStartFromAccessor=falseIsRoleChainDiscovery=false How It Works: The EC2 instance uses an instance profile with all necessary discovery permissions granted directly. No discovery role or trust configuration is needed. 6. EC2(Management) → Member Use When: EC2 instance in the management account performs discovery across management and member accounts. CFTs to Run: EC2InstanceRole.yml (management)CreateSnowAwsCloudDiscoveryPatternsRoleInMemberAccount.yml (member) Execution Order: Run EC2InstanceRole.yml in management accountRun CreateSnowAwsCloudDiscoveryPatternsRoleInMemberAccount.yml in member Parameters: EC2InstanceRole.yml: SingleAccountSetup = falseRoleName=<SnowEc2InstanceDiscoveryRole>MemberDiscoveryRoleName=<MemberDiscoveryRoleName>ManagementDiscoveryRoleName=<ManagementDiscoveryRoleName>IsDiscoveryStartFromAccessor=falseIsRoleChainDiscovery=false CreateSnowAwsCloudDiscoveryPatternsRoleInMemberAccount.yml ManagementRoleName=<ManagementRoleName>MemberDiscoveryRoleName=<MemberDiscoveryRoleName> ManagementOrAccessorAccountId=""Ec2InstanceRoleArn=<EC2 Role ARN>ServiceNowUserName="" How It Works: EC2 instance directly assumes member roles. Discovery in management account is handled via the instance profile. 7. EC2(Accessor) → Management → Member Use When: EC2 instance in an accessor account performs full discovery across management and member accounts. CFTs to Run: EC2InstanceRole.yml (accessor)CreateManagementDiscoveryAccessRole.yml (management)CreateSnowAwsCloudDiscoveryPatternsRoleInMemberAccount.yml (member) Execution Order: Run EC2InstanceRole.yml in accessor accountRun CreateManagementDiscoveryAccessRole.yml in management with Ec2InstanceRoleArnRun CreateSnowAwsCloudDiscoveryPatternsRoleInMemberAccount.yml in member Parameters: EC2InstanceRole.yml: SingleAccountSetup = falseRoleName=<SnowEc2InstanceDiscoveryRole>MemberDiscoveryRoleName=<MemberDiscoveryRoleName>ManagementDiscoveryRoleName=<ManagementDiscoveryRoleName>IsDiscoveryStartFromAccessor=trueIsRoleChainDiscovery=true CreateManagementDiscoveryAccessRole.yml ManagementRoleName=<ManagementRoleName>MemberDiscoveryRoleName=<MemberDiscoveryRoleName> IsUserCreatedInAccessor=falseAccessorAccountId=""Ec2InstanceRoleArn= <ARN from EC2InstanceRole.yml>ServiceNowUserName=""IsRoleChainDiscovery = true CreateSnowAwsCloudDiscoveryPatternsRoleInMemberAccount.yml ManagementRoleName=<ManagementRoleName>MemberDiscoveryRoleName=<MemberDiscoveryRoleName> ManagementOrAccessorAccountId=<ManagementAccountId>Ec2InstanceRoleArn=""ServiceNowUserName="" How It Works: The EC2 instance in the accessor account assumes the management discovery role (via trust), and then the member role (which trusts the management). Supports secure delegation and cross-account discovery end-to-end. 8. EC2(Accessor) → Management + Member (Direct) Use When: EC2 instance in an accessor account performs full discovery across management and member accounts directly. CFTs to Run: EC2InstanceRole.yml (accessor)CreateManagementDiscoveryAccessRole.yml (management)CreateSnowAwsCloudDiscoveryPatternsRoleInMemberAccount.yml (member) Execution Order: Run EC2InstanceRole.yml in accessor accountRun CreateManagementDiscoveryAccessRole.yml in management with Ec2InstanceRoleArnRun CreateSnowAwsCloudDiscoveryPatternsRoleInMemberAccount.yml in member Parameters: EC2InstanceRole.yml: SingleAccountSetup = falseRoleName=<SnowEc2InstanceDiscoveryRole>MemberDiscoveryRoleName=<MemberDiscoveryRoleName>ManagementDiscoveryRoleName=<ManagementDiscoveryRoleName>IsDiscoveryStartFromAccessor=trueIsRoleChainDiscovery=false CreateManagementDiscoveryAccessRole.yml ManagementRoleName=<ManagementRoleName>MemberDiscoveryRoleName=<MemberDiscoveryRoleName> IsUserCreatedInAccessor=falseAccessorAccountId=""Ec2InstanceRoleArn= <ARN from EC2InstanceRole.yml>ServiceNowUserName=""IsRoleChainDiscovery = false CreateSnowAwsCloudDiscoveryPatternsRoleInMemberAccount.yml ManagementRoleName=<ManagementRoleName>MemberDiscoveryRoleName=<MemberDiscoveryRoleName> ManagementOrAccessorAccountId=""Ec2InstanceRoleArn=<ARN from EC2InstanceRole.yml>ServiceNowUserName="" How It Works: Member roles are directly trusted by EC2. EC2 assumes management role only for management resource discovery. Management role is not allowed to assume member roles.