A collection of AWS resources and configuration templates for AWS SSO including SSO Permission Sets and SSO Assignment resources. Configuration templates are available in AWS CloudFormation, AWS CLI and Terraform

SSO
SSO Permission Set

An SSO permission set is a template that defines a collection of one or more IAM policies. A permission set is applied to allow SSO principals (users or groups) access to one or more AWS accounts.

CloudFormationTerraformAWS CLI
SSO Assignment

A configuration template to assign access to a specified principal (SSO Group or User) to an AWS account using an SSO Permission Set

CloudFormationTerraformAWS CLI
Permission Set for IAM Identity Center with Customer Managed Policies

This template creates a custom permission set, `PermissionSetWithCmpPb`, with policies attached and a customer managed policy as a permissions boundary. The permission set is created within a specified IAM Identity Center instance. The template specifies the instance ARN, name, description, session duration, managed policies, customer managed policy references, and permissions boundary.

CloudFormationTerraform
Custom Permission Set with Assignment for IAM Identity Center

This template creates a custom permission set, `PermissionSet`, with a managed policies attachment (AdministratorAccess policy). The permission set is created within a specified IAM Identity Center instance, and creates an assignment for the AWS account Id 123456789012 and the user `my_admin_user`

CloudFormationTerraform
Access Control Attribute Example

This template enables the attribute-based access control (ABAC) feature for the specified IAM Identity Center instance. It creates a new attribute key `CostCenter` that is mapped to the value `“${path:enterprise.costCenter}”` which is coming from the identity source.

CloudFormationTerraform
SSO Assignment for IAM Identity Center

This template creates a custom assignment for the IAM Identity Center. It assigns the user with the ID 'user_id' access to the AWS account with the ID 'accountId' in the specified AWS SSO instance. The assignment is made using the permission set specified by the 'PermissionSetArn' property.

CloudFormationTerraform