Optional values: { Readonly groupGroup set configuration
To configure IAM group named Administrators into Root and Infrastructure organizational units, you need to provide following values for this parameter.
groupSets:
- deploymentTargets:
organizationalUnits:
- Root
groups:
- name: Administrators
policies:
awsManaged:
- AdministratorAccess
Readonly identityIdentity Center configuration
To configure Identity Center, you need to provide following values for this parameter.
identityCenter:
name: identityCenter1
delegatedAdminAccount: Audit
identityCenterPermissionSets:
- name: PermissionSet1
policies:
awsManaged:
- arn:aws:iam::aws:policy/AdministratorAccess
- PowerUserAccess
customerManaged:
- ResourceConfigurationCollectorPolicy
acceleratorManaged:
- AcceleratorManagedPolicy01
- AcceleratorManagedPolicy02
inlinePolicy: iam-policies/sso-permissionSet1-inline-policy.json
permissionsBoundary:
customerManagedPolicy:
name: AcceleratorManagedPolicy
path: /
awsManagedPolicyName: PowerUserAccess
sessionDuration: 60
identityCenterAssignments:
- name: Assignment1
permissionSetName: PermissionSet1
principals:
- type: USER
name: accelerator
- type: GROUP
name: admin
deploymentTargets:
accounts:
- LogArchive
Readonly managedManaged active directory configuration
To configure AWS Microsoft managed active directory of enterprise edition, along with accelerator provisioned EC2 instance to pre configure directory users. group, you need to provide following values for this parameter.
managedActiveDirectories:
- name: AcceleratorManagedActiveDirectory
type: AWS Managed Microsoft AD
account: Network
region: us-east-1
dnsName: example.com
netBiosDomainName: example
description: Example managed active directory
edition: Enterprise
resolverRuleName: example-com-rule
vpcSettings:
vpcName: ManagedAdVpc
subnets:
- subnet1
- subnet2
secretConfig:
account: Audit
region: us-east-1
adminSecretName: admin
sharedOrganizationalUnits:
organizationalUnits:
- Root
excludedAccounts:
- Management
logs:
groupName: /aws/directoryservice/AcceleratorManagedActiveDirectory
retentionInDays: 30
activeDirectoryConfigurationInstance:
instanceType: t3.large
vpcName: MyVpc
subnetName: subnet
imagePath: /aws/service/ami-windows-latest/Windows_Server-2016-English-Full-Base
securityGroupInboundSources:
- 10.0.0.0/16
instanceRole: EC2-Default-SSM-AD-Role
enableTerminationProtection: false
userDataScripts:
- scriptName: JoinDomain
scriptFilePath: ad-config-scripts/Join-Domain.ps1
- scriptName: InitializeRDGW ## Do not Need
scriptFilePath: ad-config-scripts/Initialize-RDGW.ps1
- scriptName: AWSQuickStart
scriptFilePath: ad-config-scripts/AWSQuickStart.psm1
- scriptName: ADGroupSetup
scriptFilePath: ad-config-scripts/AD-group-setup.ps1
- scriptName: ADUserSetup
scriptFilePath: ad-config-scripts/AD-user-setup.ps1
- scriptName: ADUserGroupSetup
scriptFilePath: ad-config-scripts/AD-user-group-setup.ps1
- scriptName: ADGroupGrantPermissionsSetup
scriptFilePath: ad-config-scripts/AD-group-grant-permissions-setup.ps1
- scriptName: ADConnectorPermissionsSetup
scriptFilePath: ad-config-scripts/AD-connector-permissions-setup.ps1
- scriptName: ConfigurePasswordPolicy
scriptFilePath: ad-config-scripts/Configure-password-policy.ps1
adGroups:
- aws-Provisioning
- aws-Billing
adPerAccountGroups:
- "*-Admin"
- "*-PowerUser"
- "*-View"
adConnectorGroup: ADConnector-grp
sharedAccounts:
- Management
- Audit
- LogArchive
adPasswordPolicy:
history: 24
maximumAge: 90
minimumAge: 1
minimumLength: 14
complexity: true
reversible: false
failedAttempts: 6
lockoutDuration: 30
lockoutAttemptsReset: 30
adUsers:
- name: adconnector-usr
email: example-adconnector-usr@example.com
groups:
- ADConnector-grp
- name: user1
email: example-user1@example.com
groups:
- aws-Provisioning
- "*-View"
- "*-Admin"
- "*-PowerUser"
- AWS Delegated Administrators
- name: user2
email: example-user2@example.com
groups:
- aws-Provisioning
- "*-View"
Readonly policyPolicy set configuration.
To configure IAM policy named Default-Boundary-Policy with permission boundary defined in iam-policies/boundary-policy.json file, you need to provide following values for this parameter.
policySets:
- deploymentTargets:
organizationalUnits:
- Root
identityCenterDependency: false
policies:
- name: Default-Boundary-Policy
policy: iam-policies/boundary-policy.json
Readonly providersSAML provider configuration To configure SAML configuration, you need to provide the following values for this parameter. Replace provider name and metadata document file. Document file must be in config repository
providers:
- name: <PROVIDER_NAME>
metadataDocument: <METADATA_DOCUMENT_FILE>
Readonly roleRole sets configuration
To configure EC2-Default-SSM-AD-Role role to be assumed by ec2 service into Root and Infrastructure organizational units, you need to provide following values for this parameter. This role will have AmazonSSMManagedInstanceCore, AmazonSSMDirectoryServiceAccess and CloudWatchAgentServerPolicy policy with permission boundary defined by Default-Boundary-Policy
roleSets:
- deploymentTargets:
organizationalUnits:
- Root
roles:
- name: EC2-Default-SSM-AD-Role
assumedBy:
- type: service
principal: ec2.amazonaws.com
policies:
awsManaged:
- AmazonSSMManagedInstanceCore
- AmazonSSMDirectoryServiceAccess
- CloudWatchAgentServerPolicy
boundaryPolicy: Default-Boundary-Policy
Readonly userUser set configuration
To configure breakGlassUser01 user into Administrators in Management account, you need to provide following values for this parameter.
userSets:
- deploymentTargets:
accounts:
- Management
users:
- username: breakGlassUser01
group: Administrators
boundaryPolicy: Default-Boundary-Policy
Static Readonly FILENAMEA name for the iam config file in config repository
iam-config.yaml
Private getStatic loadLoad from config file content
Optional replacementsConfig: ReplacementsConfigStatic loadGenerated using TypeDoc
IAM configuration