CustomizationsConfig / CustomizationConfig / PortfolioConfig / PortfolioAssociationConfig

Portfolio Associations configuration

Example

- type: Group
name: Administrators
- type: Role
name: EC2-Default-SSM-AD-Role
propagateAssociation: true
- type: User
name: breakGlassUser01
- type: PermissionSet
name: AWSPowerUserAccess

Hierarchy

  • PortfolioAssociationConfig

Implements

Constructors

Properties

Constructors

Properties

name: string = ''

Indicates the name of the principal to associate the portfolio with.

propagateAssociation: boolean = false

Indicates whether the principal association should be created in accounts the portfolio is shared with. Verify the IAM principal exists in all accounts the portfolio is shared with before enabling.

Remarks

When you propagate a principal association, a potential privilege escalation path may occur. For a user in a recipient account who is not a Service Catalog Admin, but still has the ability to create Principals (Users/Roles), that user could create an IAM Principal that matches a principal name association for the portfolio. Although this user may not know which principal names are associated through Service Catalog, they may be able to guess the user. If this potential escalation path is a concern, then LZA recommends disabling propagation.

type: "User" | "Role" | "Group" | "PermissionSet" = 'Role'

Indicates the type of portfolio association, valid values are: Group, User, and Role.

Generated using TypeDoc