AWS::SSO::InstanceAccessControlAttributeConfiguration - AWS CloudFormation


Enables the attribute-based access control (ABAC) feature for the specified AWS SSO instance. You can also specify new attributes to add to your ABAC configuration during the enabling process. For more information about ABAC, see Attribute-Based Access Control in the AWS SSO User Guide.


The InstanceAccessControlAttributeConfiguration property has been deprecated but is still supported for backwards compatibility purposes. We recommend that you use the AccessControlAttributes property instead.


To declare this entity in your AWS CloudFormation template, use the following syntax:


{ "Type" : "AWS::SSO::InstanceAccessControlAttributeConfiguration", "Properties" : { "AccessControlAttributes" : [ AccessControlAttribute, ... ], "InstanceArn" : String } }


Type: AWS::SSO::InstanceAccessControlAttributeConfiguration Properties: AccessControlAttributes: - AccessControlAttribute InstanceArn: String



Lists the attributes that are configured for ABAC in the specified AWS SSO instance.

Required: No

Type: List of AccessControlAttribute

Maximum: 50

Update requires: No interruption


The ARN of the AWS SSO instance under which the operation will be executed.

Required: Yes

Type: String

Minimum: 10

Maximum: 1224

Pattern: arn:(aws|aws-us-gov|aws-cn|aws-iso|aws-iso-b):sso:::instance/(sso)?ins-[a-zA-Z0-9-.]{16}

Update requires: Replacement

Return values


Specifies the AWS SSO identity store attributes to add to your ABAC configuration. When using an external identity provider as an identity source, you can pass attributes through the SAML assertion. Doing so provides an alternative to configuring attributes from the AWS SSO identity store. If a SAML assertion passes any of these attributes, AWS SSO will replace the attribute value with the value from the AWS SSO identity store.


Enabling and configuring attributes used for access control in AWS SSO

The following example enables ABAC in AWS SSO and creates a new attribute key CostCenter that is mapped to the Value “${path:enterprise.costCenter}” which is coming from your identity source.


{ "Resources": { "ABAC": { "Type": "AWS::SSO::InstanceAccessControlAttributeConfiguration", "Properties": { "InstanceArn": "arn:aws:sso:::instance/ssoins-instanceId", "AccessControlAttributes": [ { "Key": "CostCenter", "Value": { "Source": [ "${path:enterprise.costCenter}" ] } } ] } } } }


Resources: ABAC: Type: 'AWS::SSO::InstanceAccessControlAttributeConfiguration' Properties: InstanceArn: 'arn:aws:sso:::instance/ssoins-instanceId' AccessControlAttributes: - Key: CostCenter Value: Source: - '${path:enterprise.costCenter}'