Create a role for IT Analytics Data Collection

Log in to the AWS account that is not the Payer Account.
In the AWS IAM window, select Roles.
Enter a role name that identifies it as the role specifically for data collection, such as readOnlyAccessForCollection. The name you enter cannot be changed once the role is created.
Select the Role Type: Role for Cross-Account Access > Provide access between AWS accounts you own.
Establish Trust using the Account ID of the Payer Account, but do not require the MFA.
Attach the AWS-supplied ReadOnlyAccess policy.
Before creating the role, review the role information to ensure that the following information is correct:
- Role Name: Role named specifically for IT Analytics data collection.
- Trusted Entity: ID of the Payer Account.
- Policy: ReadOnlyAccess.
Copy the Role ARN to the clipboard. You will use this copied ARN (Amazon Resource Name) when you add the role to the IAM user.
See Add the role to the IAM user.
Click Create Role to link the accounts.
Add the roles to the IAM user.