Views:
The AWS Cloud Formation template creates a cross-account role that has both a unique external ID and a policy that allows Server & Workload Protection to access your AWS resources.
To accomplish this, the template first creates a temporary role with the necessary Server & Workload Protection permissions. Using this role, it starts Lambda functions that perform the following actions:

Procedure

  1. Creates the cross-account role for Server & Workload Protection.
  2. Obtains the Amazon Resource Name (ARN) of the cross-account role.
  3. Sends the ARN to the Server & Workload Protection API.

What to do next

Note
Note
The Lambda functions cannot delete the original temporary role: after your AWS account has been added to Server & Workload Protection, you must remove it by deleting the Cloud Formation stack.
For more details, you can view the content of the Cloud Formation template directly in AWS by editing it during the template selection process.