Go directly to CloudFormation in the AWS console or proceed manually with template below
Go to CloudFormation

CloudFormation Template

This template creates a read-only IAM role and establishes a trust relationship with KeyCores backend account – allowing our code to assume this role. This is required for us to generate a report on your account status.

CIS - Center for Internet Security

Review CloudFormation template

Below YAML template is all it takes. As seen it gives only read permissions to your account.

AWSTemplateFormatVersion: 2010-09-09
Description: This template creates a cross account role for allowing KeyCores automated Compliance Reporting to access readonly information
Outputs:
  ReportURL:
    Description: Unique URL to generate reports for this account
    Value: !Sub 
      - "https://compliance.keycore.dk/v1/evaluate/${id}"
      - { id: !GetAtt InstallHandler.id }
  ReporterRoleARN:
    Description: The ARN of the reporter role that can be assumed by KeyCore provided functions and rules
    Value: 
      Fn::GetAtt: 
        - ReporterRole
        - Arn
Parameters:
  AccountNumber:
    AllowedPattern: "[0-9]+"
    Description: The 12 digit AWS account number to grant view-only access to.
    MaxLength: '12'
    MinLength: '12'
    Default: '441016470235' 
    Type: String
Resources:
  ReporterRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName:
        Fn::Sub: KeyCore-GDPR-Reporter-${AccountNumber}
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - 
            Effect: Allow
            Action: sts:AssumeRole
            Principal:
              AWS:
                - Fn::Sub: arn:aws:iam::${AccountNumber}:root
                - Fn::Sub: arn:aws:iam::${AWS::AccountId}:root
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess
        - arn:aws:iam::aws:policy/AWSCloudTrailReadOnlyAccess
        - arn:aws:iam::aws:policy/IAMReadOnlyAccess
        - arn:aws:iam::aws:policy/service-role/AWSConfigRulesExecutionRole
      Policies:
        - 
          PolicyName: KeyCore-GDPR-Reporter
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - 
                Effect: Allow
                Action:
                  - kms:ListKeys
                  - kms:GetKeyRotationStatus
                  - logs:DescribeMetricFilters
                  - s3:GetBucketLogging
                  - s3:GetBucketAcl
                  - sns:ListSubscriptionsByTopic
                  - organizations:DescribeAccount
                Resource: "*"
  InstallHandler: 
    Type: "Custom::RegisterRoleArn"
    DependsOn: ReporterRole
    Properties: 
      ServiceToken: !Sub
        - "arn:aws:sns:${region}:441016470235:ComplianceReportInstallerTopic"
        - { region: !Ref "AWS::Region" }
      RoleArn: !GetAtt ReporterRole.Arn
         

Create a new Stack based on template

Copy the code above to an .yml file or click here to go directly to CloudFormation

Copy report URL from Stack Ouput

When the CloudFormation stack is created the Stack outputs will contain a unique URL you can use to generate the report