Installing the Policy Agent and Protector in Different AWS Accounts

Example steps to install Agent in a different AWS account than the Protector

    The Policy Agent Lambda function and Protect Lambda functions can be installed in separate AWS accounts. However, additional configuration is required to authorize the Policy Agent to provision the security policy to a remote Protect Lambda function.

    Create Agent Lambda IAM policy

    1. Login to the AWS account that hosts the Protect Lambda function.

    2. From the AWS IAM console, select Policies > Create Policy.

    3. Select the JSON tab and copy the following snippet.

      {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "LambdaUpdateFunction",
      "Effect": "Allow",
      "Action": [
        "lambda:UpdateFunctionConfiguration"
      ],
      "Resource": [
        "arn:aws:lambda:*:*:function:*"
      ]
    },
    {
      "Sid": "LambdaReadLayerVersion",
      "Effect": "Allow",
      "Action": [
        "lambda:GetLayerVersion",
        "lambda:ListLayerVersions"
      ],
      "Resource": "*"
    },
    {
      "Sid": "LambdaDeleteLayerVersion",
      "Effect": "Allow",
      "Action": "lambda:DeleteLayerVersion",
      "Resource": "arn:aws:lambda:*:*:layer:*:*"
    },
    {
      "Sid": "LambdaPublishLayerVersion",
      "Effect": "Allow",
      "Action": "lambda:PublishLayerVersion",
      "Resource": "arn:aws:lambda:*:*:layer:*"
    },
    {
      "Sid": "S3GetObject",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject"
      ],
      "Resource": "arn:aws:s3:::*/*"
    },
    {
      "Sid": "S3PutObject",
      "Effect": "Allow",
      "Action": [
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:::*/*"
    },
    {
      "Sid": "LambdaGetConfiguration",
      "Effect": "Allow",
      "Action": [
          "lambda:GetFunctionConfiguration"
      ],
      "Resource": [
          "arn:aws:lambda:*:*:function:*"
      ]
    }
  ]
}

    4. Replace the wildcards (*) with the region, account, and resource name information where required.

    5. Select Review policy, type in the policy name, and confirm. Record policy name:

      Agent Lambda Cross Account Policy Name: ___________________

    Create Policy Agent cross-account IAM Role

    1. Login to the AWS account that hosts the Protect Lambda function.

    2. From the AWS IAM console, select Roles > Create Role

    3. Select AWS Service > Lambda . Proceed to Permissions.

    4. Select Policy created in the step above. Proceed to Tags.

    5. Specify Tag, proceed to the final screen. Type in policy name and confirm. Record the name.

      Policy Agent Cross Account IAM Role Name: ___________________

    Allow the Policy Agent Cross-Account Role to be Assumed by the Policy Agent IAM Role

    1. Login to the AWS account that hosts the Protect Lambda function.

    2. Navigate to the previously created IAM Role (Agent Lambda Cross-Account IAM Role Name).

    3. Navigate to Trust Relationships > Edit Trust Relationships.

    4. Modify the Policy Document, replacing the placeholder value indicated in the following snippet as <Agent Lambda IAM Execution Role ARN> with ARN of Agent Lambda IAM Role that was created in Agent Installation.

      {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",

   "Principal": {

            "AWS": "<Agent Lambda IAM Execution Role Name>"

      },
      "Action": "sts:AssumeRole"
    }
  ]
}

    5. Click Update Trust Policy.

    Add Assume Role to the Policy Agent Execution IAM Role

    1. Login to the AWS account that hosts the Policy Agent.

    2. Navigate to the Agent Lambda IAM Execution Role that was created in Agent Installation.

      {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",

   "Principal": {

            "AWS": "<Agent Lambda IAM Execution Role Name>"

      },
      "Action": "sts:AssumeRole"
    }
  ]
}

    3. Add Inline Policy.

    4. Modify the Policy Document, replacing the placeholder value indicated in the following snippet as <Agent Lambda Cross-Account IAM ARN> with the value recorded in Create Policy Agent cross-account IAM Role.

      {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "sts:AssumeRole"
      ],
      "Resource": "<Agent Lambda Cross-Account IAM  ARN>."
    }
  ]
}

    5. When you are finished, choose Review Policy.

    6. On the Review policy page, type a Name, then choose Create Policy.

    Update the Policy Agent Lambda Configuration

    1. From the AWS console, navigate to Lambda, and select the Policy Agent Lambda function.

    2. Select Configuration tab | Environment variables.

    3. Select Edit and add the following environment variables with the value from Agent Lambda Cross-Account IAM ARN:

      ParameterValue
      AWS_ASSUME_ROLEAgent Lambda Cross-Account IAM ARN

    4. Ensure the values in the Parameters AWS_POLICY_S3_BUCKET, AWS_PROTECT_FN_NAME and AWS_POLICY_LAYER_NAME are all in the Protect Lambda Function AWS Account.

    5. In case custom VPC hostname configuration is used, you will need to set the ENDPOINT_URL. Refer to Policy Agent - Custom VPC Endpoint Hostname Configuration.

      AWS_VPC_ENDPOINT_URL

      <AWS_VPC_ENDPOINT>

    6. Click Save and Run the Lambda. The Lambda will now assume the Role in Protect Lambda Function AWS Account and update the policy cross accounts.


    Last modified : November 27, 2025