AWS::SSO::InstanceAccessControlAttributeConfiguration - AWS CloudFormation

AWS::SSO::InstanceAccessControlAttributeConfiguration

Enables the attribute-based access control (ABAC) feature for the specified AWS SSO instance. You can also specify new attributes to add to your ABAC configuration during the enabling process. For more information about ABAC, see Attribute-Based Access Control in the AWS SSO User Guide.

Note

The InstanceAccessControlAttributeConfiguration property has been deprecated but is still supported for backwards compatibility purposes. We recommend that you use the AccessControlAttributes property instead.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{ "Type" : "AWS::SSO::InstanceAccessControlAttributeConfiguration", "Properties" : { "AccessControlAttributes" : [ AccessControlAttribute, ... ], "InstanceArn" : String } }

YAML

Type: AWS::SSO::InstanceAccessControlAttributeConfiguration Properties: AccessControlAttributes: - AccessControlAttribute InstanceArn: String

Properties

AccessControlAttributes

Lists the attributes that are configured for ABAC in the specified AWS SSO instance.

Required: No

Type: List of AccessControlAttribute

Maximum: 50

Update requires: No interruption

InstanceArn

The ARN of the AWS SSO instance under which the operation will be executed.

Required: Yes

Type: String

Minimum: 10

Maximum: 1224

Pattern: arn:(aws|aws-us-gov|aws-cn|aws-iso|aws-iso-b):sso:::instance/(sso)?ins-[a-zA-Z0-9-.]{16}

Update requires: Replacement

Return values

Ref

Specifies the AWS SSO identity store attributes to add to your ABAC configuration. When using an external identity provider as an identity source, you can pass attributes through the SAML assertion. Doing so provides an alternative to configuring attributes from the AWS SSO identity store. If a SAML assertion passes any of these attributes, AWS SSO will replace the attribute value with the value from the AWS SSO identity store.

Examples

Enabling and configuring attributes used for access control in AWS SSO

The following example enables ABAC in AWS SSO and creates a new attribute key CostCenter that is mapped to the Value “${path:enterprise.costCenter}” which is coming from your identity source.

JSON

{ "Resources": { "ABAC": { "Type": "AWS::SSO::InstanceAccessControlAttributeConfiguration", "Properties": { "InstanceArn": "arn:aws:sso:::instance/ssoins-instanceId", "AccessControlAttributes": [ { "Key": "CostCenter", "Value": { "Source": [ "${path:enterprise.costCenter}" ] } } ] } } } }

YAML

Resources: ABAC: Type: 'AWS::SSO::InstanceAccessControlAttributeConfiguration' Properties: InstanceArn: 'arn:aws:sso:::instance/ssoins-instanceId' AccessControlAttributes: - Key: CostCenter Value: Source: - '${path:enterprise.costCenter}'