Class PortfolioAssociationConfig

CustomizationsConfig / CustomizationConfig / PortfolioConfig / PortfolioAssociationConfig

Portfolio Associations configuration

Example

- type: Group
  name: Administrators
- type: Role
  name: EC2-Default-SSM-AD-Role
  propagateAssociation: true
- type: User
  name: breakGlassUser01
- type: PermissionSet
  name: AWSPowerUserAccess

Hierarchy

  • PortfolioAssociationConfig

Implements

Constructors

constructor

Properties

name propagateAssociation type

Constructors

constructor

Properties

Readonly name

name: string = ''

Indicates the name of the principal to associate the portfolio with.

Readonly propagateAssociation

propagateAssociation: boolean = false

Indicates whether the principal association should be created in accounts the portfolio is shared with. Verify the IAM principal exists in all accounts the portfolio is shared with before enabling.

Remarks

When you propagate a principal association, a potential privilege escalation path may occur. For a user in a recipient account who is not a Service Catalog Admin, but still has the ability to create Principals (Users/Roles), that user could create an IAM Principal that matches a principal name association for the portfolio. Although this user may not know which principal names are associated through Service Catalog, they may be able to guess the user. If this potential escalation path is a concern, then LZA recommends disabling propagation.

Readonly type

type: "User" | "Role" | "Group" | "PermissionSet" = 'Role'

Indicates the type of portfolio association, valid values are: Group, User, and Role.

Settings

Member Visibility

Theme

Generated using TypeDoc