IAM configuration

Hierarchy

  • IamConfig

Implements

Constructors

  • Parameters

    • Optional values: {
          groupSets: undefined | ({ deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; groups: { ...; }[]; })[];
          identityCenter: undefined | ({ name: string; delegatedAdminAccount: string | undefined; identityCenterPermissionSets: { name: string; policies: { awsManaged: string[] | undefined; customerManaged: string[] | undefined; acceleratorManaged: string[] | undefined; inlinePolicy: string | undefined; permissionsBoundary: { ...; } | undefined; } | unde...);
          managedActiveDirectories: undefined | ({ name: string; account: string; region: string; dnsName: string; netBiosDomainName: string; description: string | undefined; edition: string; vpcSettings: { vpcName: string; subnets: string[]; }; ... 5 more ...; activeDirectoryConfigurationInstance: { ...; } | undefined; })[];
          policySets: undefined | ({ deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; identityCenterDependency: boolean | undefined; policies: { ...; }[]; })[];
          providers: undefined | ({ name: string; metadataDocument: string; })[];
          roleSets: undefined | ({ deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; path: string | undefined; roles: { ...; }[]; })[];
          userSets: undefined | ({ deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; users: { ...; }[]; })[];
      }
      • groupSets: undefined | ({ deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; groups: { ...; }[]; })[]
      • identityCenter: undefined | ({ name: string; delegatedAdminAccount: string | undefined; identityCenterPermissionSets: { name: string; policies: { awsManaged: string[] | undefined; customerManaged: string[] | undefined; acceleratorManaged: string[] | undefined; inlinePolicy: string | undefined; permissionsBoundary: { ...; } | undefined; } | unde...)
      • managedActiveDirectories: undefined | ({ name: string; account: string; region: string; dnsName: string; netBiosDomainName: string; description: string | undefined; edition: string; vpcSettings: { vpcName: string; subnets: string[]; }; ... 5 more ...; activeDirectoryConfigurationInstance: { ...; } | undefined; })[]
      • policySets: undefined | ({ deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; identityCenterDependency: boolean | undefined; policies: { ...; }[]; })[]
      • providers: undefined | ({ name: string; metadataDocument: string; })[]
      • roleSets: undefined | ({ deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; path: string | undefined; roles: { ...; }[]; })[]
      • userSets: undefined | ({ deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; users: { ...; }[]; })[]

    Returns IamConfig

Properties

groupSets: GroupSetConfig[] = []

Group set configuration

Remarks

To configure IAM group named Administrators into Root and Infrastructure organizational units, you need to provide following values for this parameter.

Example

groupSets:
- deploymentTargets:
organizationalUnits:
- Root
groups:
- name: Administrators
policies:
awsManaged:
- AdministratorAccess

See

IamConfig / GroupSetConfig

identityCenter: undefined | IdentityCenterConfig = undefined

Identity Center configuration

Remarks

To configure Identity Center, you need to provide following values for this parameter.

Example

identityCenter:
name: identityCenter1
delegatedAdminAccount: Audit
identityCenterPermissionSets:
- name: PermissionSet1
policies:
awsManaged:
- arn:aws:iam::aws:policy/AdministratorAccess
- PowerUserAccess
customerManaged:
- ResourceConfigurationCollectorPolicy
acceleratorManaged:
- AcceleratorManagedPolicy01
- AcceleratorManagedPolicy02
inlinePolicy: iam-policies/sso-permissionSet1-inline-policy.json
permissionsBoundary:
customerManagedPolicy:
name: AcceleratorManagedPolicy
path: /
awsManagedPolicyName: PowerUserAccess
sessionDuration: 60
identityCenterAssignments:
- name: Assignment1
permissionSetName: PermissionSet1
principals:
- type: USER
name: accelerator
- type: GROUP
name: admin
deploymentTargets:
accounts:
- LogArchive

See

IamConfig / IdentityCenterConfig

managedActiveDirectories: undefined | ManagedActiveDirectoryConfig[] = undefined

Managed active directory configuration

Remarks

To configure AWS Microsoft managed active directory of enterprise edition, along with accelerator provisioned EC2 instance to pre configure directory users. group, you need to provide following values for this parameter.

Example

managedActiveDirectories:
- name: AcceleratorManagedActiveDirectory
type: AWS Managed Microsoft AD
account: Network
region: us-east-1
dnsName: example.com
netBiosDomainName: example
description: Example managed active directory
edition: Enterprise
resolverRuleName: example-com-rule
vpcSettings:
vpcName: ManagedAdVpc
subnets:
- subnet1
- subnet2
secretConfig:
account: Audit
region: us-east-1
adminSecretName: admin
sharedOrganizationalUnits:
organizationalUnits:
- Root
excludedAccounts:
- Management
logs:
groupName: /aws/directoryservice/AcceleratorManagedActiveDirectory
retentionInDays: 30
activeDirectoryConfigurationInstance:
instanceType: t3.large
vpcName: MyVpc
subnetName: subnet
imagePath: /aws/service/ami-windows-latest/Windows_Server-2016-English-Full-Base
securityGroupInboundSources:
- 10.0.0.0/16
instanceRole: EC2-Default-SSM-AD-Role
enableTerminationProtection: false
userDataScripts:
- scriptName: JoinDomain
scriptFilePath: ad-config-scripts/Join-Domain.ps1
- scriptName: InitializeRDGW ## Do not Need
scriptFilePath: ad-config-scripts/Initialize-RDGW.ps1
- scriptName: AWSQuickStart
scriptFilePath: ad-config-scripts/AWSQuickStart.psm1
- scriptName: ADGroupSetup
scriptFilePath: ad-config-scripts/AD-group-setup.ps1
- scriptName: ADUserSetup
scriptFilePath: ad-config-scripts/AD-user-setup.ps1
- scriptName: ADUserGroupSetup
scriptFilePath: ad-config-scripts/AD-user-group-setup.ps1
- scriptName: ADGroupGrantPermissionsSetup
scriptFilePath: ad-config-scripts/AD-group-grant-permissions-setup.ps1
- scriptName: ADConnectorPermissionsSetup
scriptFilePath: ad-config-scripts/AD-connector-permissions-setup.ps1
- scriptName: ConfigurePasswordPolicy
scriptFilePath: ad-config-scripts/Configure-password-policy.ps1
adGroups:
- aws-Provisioning
- aws-Billing
adPerAccountGroups:
- "*-Admin"
- "*-PowerUser"
- "*-View"
adConnectorGroup: ADConnector-grp
sharedAccounts:
- Management
- Audit
- LogArchive
adPasswordPolicy:
history: 24
maximumAge: 90
minimumAge: 1
minimumLength: 14
complexity: true
reversible: false
failedAttempts: 6
lockoutDuration: 30
lockoutAttemptsReset: 30
adUsers:
- name: adconnector-usr
email: example-adconnector-usr@example.com
groups:
- ADConnector-grp
- name: user1
email: example-user1@example.com
groups:
- aws-Provisioning
- "*-View"
- "*-Admin"
- "*-PowerUser"
- AWS Delegated Administrators
- name: user2
email: example-user2@example.com
groups:
- aws-Provisioning
- "*-View"

See

IamConfig / ManagedActiveDirectoryConfig

policySets: PolicySetConfig[] = []

Policy set configuration.

To configure IAM policy named Default-Boundary-Policy with permission boundary defined in iam-policies/boundary-policy.json file, you need to provide following values for this parameter.

Example

policySets:
- deploymentTargets:
organizationalUnits:
- Root
identityCenterDependency: false
policies:
- name: Default-Boundary-Policy
policy: iam-policies/boundary-policy.json

See

IamConfig / PolicySetConfig

providers: SamlProviderConfig[] = []

SAML provider configuration To configure SAML configuration, you need to provide the following values for this parameter. Replace provider name and metadata document file. Document file must be in config repository

Example

providers:
- name: <PROVIDER_NAME>
metadataDocument: <METADATA_DOCUMENT_FILE>

See

IamConfig / SamlProviderConfig

roleSets: RoleSetConfig[] = []

Role sets configuration

Remarks

To configure EC2-Default-SSM-AD-Role role to be assumed by ec2 service into Root and Infrastructure organizational units, you need to provide following values for this parameter. This role will have AmazonSSMManagedInstanceCore, AmazonSSMDirectoryServiceAccess and CloudWatchAgentServerPolicy policy with permission boundary defined by Default-Boundary-Policy

Example

roleSets:
- deploymentTargets:
organizationalUnits:
- Root
roles:
- name: EC2-Default-SSM-AD-Role
assumedBy:
- type: service
principal: ec2.amazonaws.com
policies:
awsManaged:
- AmazonSSMManagedInstanceCore
- AmazonSSMDirectoryServiceAccess
- CloudWatchAgentServerPolicy
boundaryPolicy: Default-Boundary-Policy

See

IamConfig / RoleSetConfig

userSets: UserSetConfig[] = []

User set configuration

Remarks

To configure breakGlassUser01 user into Administrators in Management account, you need to provide following values for this parameter.

Example

userSets:
- deploymentTargets:
accounts:
- Management
users:
- username: breakGlassUser01
group: Administrators
boundaryPolicy: Default-Boundary-Policy

See

IamConfig / UserSetConfig

FILENAME: "iam-config.yaml" = 'iam-config.yaml'

A name for the iam config file in config repository

Default

iam-config.yaml

Methods

  • Parameters

    Returns string[]

  • Parameters

    • directoryName: string

    Returns string

  • Parameters

    • directoryName: string

    Returns string

  • Parameters

    • directoryName: string

    Returns string

  • Parameters

    • directoryName: string
    • configDir: string

    Returns string[]

  • Load from string content

    Parameters

    • content: string

    Returns undefined | IamConfig

Generated using TypeDoc