Skip to main content

Customer Access

Codified setup of trusted access for 3rd party service or solution providers to your AWS account(s).

Quick Start

Need a refresh on how to use and configure patterns?

Pattern Basics

  • What is a worX pattern?
  • What are the different types of pattern?
  • What standards are used in patterns?
  • What if I already use Terraform?
  • How can I use patterns alongside my existing Terraform?

Configuring Patterns

  • How are patterns configured?
  • What are Pattern Features and Unit Features?
  • How can I understand the impact of enabling a feature?
  • What else can I configure in a pattern?

Accessing worX

  • How do I register an account?
  • How do I access the patterns?
  • How do I integrate with Terraform?
  • Where can I find examples?

Pattern Summary

This pattern represents one side of a pair of patterns that provide a means for AWS service providers to connect securely to AWS customer accounts without having to create IAM users or share API credentials that may be allocated elevated permissions.

This pattern can be used by the AWS Service Provider to assign and manage access to customers for their engineers with some additional settings for restricting how these permissions can be accessed.

Service Provider Flow

  1. Using a designated customer or security AWS account, the service provider makes the customer IAM Roles available to their own engineers
  2. Additional granularity can be added by creating separate Roles or permission sets for each customer, allowing only specific team members to access specific customers
  3. When needed, the customer permissions can only be accessed by assuming these cross-account IAM Roles using the 2nd factor provided by the customer


Pattern Features


Feature Information
DescriptionAttaches cross account access policy to IAM groups/roles.
Default StateDisabled

Feature Options

  • customer_managed_policy_name

    Setting is?Optional
    Default valueNone
  • groups

    Setting is?Optional
    Default value['example_group_1', 'example_group_2']
  • roles

    Setting is?Optional
    Default value['example_role_1', 'example_role_2']


Feature Information
DescriptionAttaches cross account access policy to IAM IC permission sets.
Default StateDisabled

Feature Options

  • inline_policy

    Setting is?Optional
    Default valueFalse
  • customer_managed_policy_name

    Setting is?Optional
    Default valueNone
  • permission_set_names

    Setting is?Required
    Example value['permission_name']

Pattern Options

  • external_iam_role_arn

    Setting is?Required
    Example valuearn:aws:iam::1234456789123:role/RoleName

Reference Example

Below is a complete reference example that you can use to get started. You can find out how to access the entire pattern library and configure your Terraform workspace over on our How do I access worX? guide in our Core Concepts section of the documentation.

Create the following files with contents in a working directory of your choosing.

Terraform Code
# Provider config
terraform {

required_version = "~> 1.5"

required_providers {
aws = {
version = "~> 5.0"
source = "hashicorp/aws"


# Pattern usage
module "worx_customer_access" {

source = ""
version = "1.1.1"

configuration_file = pathexpand("example.yml")


Pattern Configuration

org: "HT"
lifecycle: "DEV"
Project: CA

enabled: true
- development
enabled: false
inline_policy: false
- AdministratorAccess
- ReadOnlyAccess

external_iam_role_arn: arn:aws:iam::123456789012:role/HT-DEV-GBL-ServiceProvider-Role

Deploying Pattern

# Initialise and download any providers and modules
terraform init

# Compile the show the target state for resources to be managed
terraform plan -out=worx.plan

# Deploy and manage the resources
terraform apply worx.plan