IAM configuration

Hierarchy

  • IamConfig

Implements

Constructors

  • Parameters

    • Optional values: {
          groupSets: undefined | ({ deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; groups: { ...; }[]; })[];
          identityCenter: undefined | ({ name: string; delegatedAdminAccount: string | undefined; identityCenterPermissionSets: { name: string; policies: { awsManaged: string[] | undefined; customerManaged: string[] | undefined; } | undefined; sessionDuration: number | undefined; }[] | undefined; identityCenterAssignments: { ...; }[] | undefined; });
          managedActiveDirectories: undefined | ({ name: string; account: string; region: "af-south-1" | "ap-east-1" | "ap-south-1" | "ap-southeast-1" | "ap-southeast-2" | "ap-southeast-3" | "ap-northeast-1" | "ap-northeast-2" | ... 25 more ... | "ap-southeast-4"; ... 10 more ...; activeDirectoryConfigurationInstance: { ...; } | undefined; })[];
          policySets: undefined | ({ deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; policies: { ...; }[]; })[];
          providers: undefined | ({ name: string; metadataDocument: string; })[];
          roleSets: undefined | ({ deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; path: string | undefined; roles: { ...; }[]; })[];
          userSets: undefined | ({ deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; users: { ...; }[]; })[];
      }
      • groupSets: undefined | ({ deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; groups: { ...; }[]; })[]
      • identityCenter: undefined | ({ name: string; delegatedAdminAccount: string | undefined; identityCenterPermissionSets: { name: string; policies: { awsManaged: string[] | undefined; customerManaged: string[] | undefined; } | undefined; sessionDuration: number | undefined; }[] | undefined; identityCenterAssignments: { ...; }[] | undefined; })
      • managedActiveDirectories: undefined | ({ name: string; account: string; region: "af-south-1" | "ap-east-1" | "ap-south-1" | "ap-southeast-1" | "ap-southeast-2" | "ap-southeast-3" | "ap-northeast-1" | "ap-northeast-2" | ... 25 more ... | "ap-southeast-4"; ... 10 more ...; activeDirectoryConfigurationInstance: { ...; } | undefined; })[]
      • policySets: undefined | ({ deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; policies: { ...; }[]; })[]
      • providers: undefined | ({ name: string; metadataDocument: string; })[]
      • roleSets: undefined | ({ deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; path: string | undefined; roles: { ...; }[]; })[]
      • userSets: undefined | ({ deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; users: { ...; }[]; })[]

    Returns IamConfig

Properties

groupSets: GroupSetConfig[] = []

Group set configuration

To configure IAM group named Administrators into Root and Infrastructure organizational units, you need to provide following values for this parameter.

Example

groupSets:
- deploymentTargets:
organizationalUnits:
- Root
groups:
- name: Administrators
policies:
awsManaged:
- AdministratorAccess
identityCenter: undefined | IdentityCenterConfig = undefined

Identity Center configuration

To configure Identity Center, you need to provide following values for this parameter.

Example

identityCenter:
name: identityCenter1
delegatedAdminAccount: Audit
identityCenterPermissionSets:
- name: PermissionSet1
policies:
awsManaged:
- arn:aws:iam::aws:policy/AdministratorAccess
customerManaged:
- ResourceConfigurationCollectorPolicy
sessionDuration: 60
identityCenterAssignments:
- name: Assignment1
permissionSetName: PermissionSet1
principalId: "a4e81468-1001-70f0-9c12-56a6aa967ca4"
principalType: USER
deploymentTargets:
accounts:
- LogArchive
managedActiveDirectories: undefined | ManagedActiveDirectoryConfig[] = undefined

Managed active directory configuration

To configure AWS Microsoft managed active directory of enterprise edition, along with LZA provisioned EC2 instance to pre configure directory users. group, you need to provide following values for this parameter.

Example

managedActiveDirectories:
- name: AcceleratorManagedActiveDirectory
type: AWS Managed Microsoft AD
account: Network
region: us-east-1
dnsName: example.com
netBiosDomainName: example
description: Example managed active directory
edition: Enterprise
resolverRuleName: example-com-rule
vpcSettings:
vpcName: ManagedAdVpc
subnets:
- subnet1
- subnet2
secretConfig:
account: Audit
region: us-east-1
adminSecretName: admin
sharedOrganizationalUnits:
organizationalUnits:
- Root
excludedAccounts:
- Management
logs:
groupName: /aws/directoryservice/AcceleratorManagedActiveDirectory
retentionInDays: 30
activeDirectoryConfigurationInstance:
instanceType: t3.large
vpcName: MyVpc
subnetName: subnet
imagePath: /aws/service/ami-windows-latest/Windows_Server-2016-English-Full-Base
securityGroupInboundSources:
- 10.0.0.0/16
instanceRole: EC2-Default-SSM-AD-Role
enableTerminationProtection: false
userDataScripts:
- scriptName: JoinDomain
scriptFilePath: ad-config-scripts/Join-Domain.ps1
- scriptName: InitializeRDGW ## Do not Need
scriptFilePath: ad-config-scripts/Initialize-RDGW.ps1
- scriptName: AWSQuickStart
scriptFilePath: ad-config-scripts/AWSQuickStart.psm1
- scriptName: ADGroupSetup
scriptFilePath: ad-config-scripts/AD-group-setup.ps1
- scriptName: ADUserSetup
scriptFilePath: ad-config-scripts/AD-user-setup.ps1
- scriptName: ADUserGroupSetup
scriptFilePath: ad-config-scripts/AD-user-group-setup.ps1
- scriptName: ADGroupGrantPermissionsSetup
scriptFilePath: ad-config-scripts/AD-group-grant-permissions-setup.ps1
- scriptName: ADConnectorPermissionsSetup
scriptFilePath: ad-config-scripts/AD-connector-permissions-setup.ps1
- scriptName: ConfigurePasswordPolicy
scriptFilePath: ad-config-scripts/Configure-password-policy.ps1
adGroups:
- aws-Provisioning
- aws-Billing
adPerAccountGroups:
- "*-Admin"
- "*-PowerUser"
- "*-View"
adConnectorGroup: ADConnector-grp
sharedAccounts:
- Management
- Audit
- LogArchive
adPasswordPolicy:
history: 24
maximumAge: 90
minimumAge: 1
minimumLength: 14
complexity: true
reversible: false
failedAttempts: 6
lockoutDuration: 30
lockoutAttemptsReset: 30
adUsers:
- name: adconnector-usr
email: example-adconnector-usr@example.com
groups:
- ADConnector-grp
- name: user1
email: example-user1@example.com
groups:
- aws-Provisioning
- "*-View"
- "*-Admin"
- "*-PowerUser"
- AWS Delegated Administrators
- name: user2
email: example-user2@example.com
groups:
- aws-Provisioning
- "*-View"
policySets: PolicySetConfig[] = []

Policy set configuration.

To configure IAM policy named Default-Boundary-Policy with permission boundary defined in iam-policies/boundary-policy.json file, you need to provide following values for this parameter.

Example

policySets:
- deploymentTargets:
organizationalUnits:
- Root
policies:
- name: Default-Boundary-Policy
policy: iam-policies/boundary-policy.json
providers: SamlProviderConfig[] = []

SAML provider configuration To configure SAML configuration, you need to provide the following values for this parameter. Replace provider name and metadata document file. Document file must be in config repository

Example

providers:
- name: <PROVIDER_NAME>
metadataDocument: <METADATA_DOCUMENT_FILE>
roleSets: RoleSetConfig[] = []

Role sets configuration

To configure EC2-Default-SSM-AD-Role role to be assumed by ec2 service into Root and Infrastructure organizational units, you need to provide following values for this parameter. This role will have AmazonSSMManagedInstanceCore, AmazonSSMDirectoryServiceAccess and CloudWatchAgentServerPolicy policy with permission boundary defined by Default-Boundary-Policy

Example

roleSets:
- deploymentTargets:
organizationalUnits:
- Root
roles:
- name: EC2-Default-SSM-AD-Role
assumedBy:
- type: service
principal: ec2.amazonaws.com
policies:
awsManaged:
- AmazonSSMManagedInstanceCore
- AmazonSSMDirectoryServiceAccess
- CloudWatchAgentServerPolicy
boundaryPolicy: Default-Boundary-Policy
userSets: UserSetConfig[] = []

User set configuration

To configure breakGlassUser01 user into Administrators in Management account, you need to provide following values for this parameter.

Example

userSets:
- deploymentTargets:
accounts:
- Management
users:
- username: breakGlassUser01
group: Administrators
boundaryPolicy: Default-Boundary-Policy
FILENAME: "iam-config.yaml" = 'iam-config.yaml'

A name for the iam config file in config repository

Default

iam-config.yaml

Methods

  • Parameters

    • directoryName: string

    Returns string

  • Parameters

    • directoryName: string

    Returns string

  • Parameters

    • directoryName: string

    Returns string

  • Parameters

    • directoryName: string
    • configDir: string

    Returns string[]

  • Load from config file content

    Returns

    Parameters

    • dir: string

    Returns IamConfig

  • Load from string content

    Parameters

    • content: string

    Returns undefined | IamConfig

Generated using TypeDoc