Allows you to use AFT (Account Factory for Terraform) to declaratively specify SSO Group and SSO User access to an account.

Overview

SSO Account Configuration

Allows you to use AFT (Account Factory for Terraform) to declaratively specify SSO Group and SSO User access to an account in the following way:

module "john-doe-account" {
  source = "./modules/aft-account-request"
  control_tower_parameters = {
    AccountEmail              = "[email protected]"
    AccountName               = "JohnDoeAccount"                                
    ManagedOrganizationalUnit = "Sandbox"  
    SSOUserEmail              = "[email protected]"
    SSOUserFirstName          = "Admin"
    SSOUserLastName           = "User"
  }

  custom_fields = {
    "sso_groups" = jsonencode({
      "an-sso-group-you-have-defined" = ["DeveloperAccess", "AWSReadOnlyAccess"]
      "another-sso-group"             = ["SomeOtherPermissionSet", "AnotherPermissionSet"]
      "yet-another-sso-group"         = "YetAnotherPermissionSet"
    })
    "sso_users" = jsonencode({
      "[email protected]"          = ["FooAccess", "BarAccess", "BazAccess"]
      "[email protected]"          = "AWSReadOnlyAccess"
    })
  }
}

Furthermore, if you provide a value for the parameter CloudAdministrationGroupName, this SSO group will be automatically added to all accounts, with the permissions given in the parameter CloudAdministrationGroupPermissionSets, defaulting to "AWSAdministratorAccess,AWSReadOnlyAccess".

NB: Any group or user assignments not explicitly mentioned will be deleted automatically, except for the groups AWSSecurityAuditors, AWSControlTowerAdmins and AWSSecurityAuditPowerUsers. They are assigned by Service Catalog when Control Tower creates an account and should be left as is.

Installation

Deploy this SAM project in the organisation account, in your main region. All that's required is

sam build
sam deploy --guided

Subsequent deploys are done just by sam build && sam deploy.

To activate, put the following in your aft-global-customizations repo, in pre-api-helpers.sh in the api_helpers directory. Substitute the --topic-arn value for the SNS topic.

#!/bin/bash -e
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0
#

echo "Executing Pre-API Helpers"

ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)

echo "Obtaining SSO Groups for account $ACCOUNT_ID..."
SSO_GROUPS=$(aws ssm get-parameters --names /aft/account-request/custom-fields/sso_groups --query "Parameters[0].Value")
echo "SSO Groups: $SSO_GROUPS"

echo "Obtaining SSO Users for account $ACCOUNT_ID..."
SSO_USERS=$(aws ssm get-parameters --names /aft/account-request/custom-fields/sso_users --query "Parameters[0].Value")
echo "SSO Users: $SSO_USERS"

echo "Posting SNS message to configure the account $ACCOUNT_ID for SSO access..."
aws sns publish --topic-arn "arn:aws:sns:xx-xxxx-1:111122223333:aft-sso-account-configuration-topic" \
  --message "{\"account_id\": \"$ACCOUNT_ID\", \"sso_groups\": $SSO_GROUPS, \"sso_users\": $SSO_USERS}"

Protecting the settings

You will probably want to include something like the following in an SCP to protect the AFT settings from being tampered with:

{
  "Sid": "DenyAFTCustomFieldsModification",
  "Effect": "Deny",
  "Action": [
    "ssm:DeleteParameter*",
    "ssm:PutParameter"
  ],
  "Resource": "arn:aws:ssm:*:*:parameter/aft/account-request/custom-fields/*",
  "Condition": {
    "ArnNotLike": {
      "aws:PrincipalArn": [
        "arn:aws:iam::*:role/AWSControlTowerExecution",
        "arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/*/AWSReservedSSO_AWSAdministratorAccess_*",
        "arn:aws:iam::*:role/stacksets-exec-*",
        "arn:aws:iam::*:role/AWSAFTService",
        "arn:aws:iam::*:role/AWSAFTExecution"
      ]
    }
  }
}

You can add the following to the same SCP to block users of a permission set from using or even seeing the values of the SSO parameters in their own accounts. Substitute DeveloperAccess with the name of your own permission set, but keep the prefix and wildcard characters:

{
  "Sid": "DenyAFTCustomFieldsUseAndVisibility",
  "Effect": "Deny",
  "Action": [
    "ssm:DeleteParameter*",
    "ssm:DescribeParameters",
    "ssm:GetParameter*",
    "ssm:PutParameter"
  ],
  "Resource": "arn:aws:ssm:*:*:parameter/aft/account-request/custom-fields/*",
  "Condition": {
    "ArnLike": {
      "aws:PrincipalArn": [
        "arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/*/AWSReservedSSO_DeveloperAccess_*"
      ]
    }
  }
}
You might also like...

Telegram bot made using Telethon which let you access telegram account using it's telethon string session. Publicized now

Telegram bot made using Telethon which let you access telegram account using it's telethon string session. <Publicized now>

◈ 💠 Hacking-AiBot 💠 ◈ Telegram bot made using Telethon which let you access telegram account using it's telethon string session. Publicized now 👾

Jan 5, 2023

A python application that allows you to create, edit and delete notes using .txt files. Each group of notes has its own customisable "username" and "password".

Your-Own-Custom-and-Safe-Notes How to use: -Create a .txt file wherever you want -Write on the 3 first lines: 0 *Your Custom Username* *Your Custom

Nov 3, 2022

Don't have friends to talk?, don't worry this bot right here says hello to you whenever you want your friend to say hello (you've got no friends anyway) A neat bot that says hello use cb!hello to use the bot.

Chibong-discord-bot Don't have friends to talk?, don't worry this bot right here says hello to you whenever you want your friend to say hello (you've

Apr 25, 2022

This is a gamefied referral system where user can login and refer the referral code to another user to create an account on the same app using the referral code provided.

This is a gamefied referral system where user can login and refer the referral code to another user to create an account on the same app using the referral code provided.

Gamified-Referral-System This is a gamefied referral system where user can login and refer the referral code to another user to create an account on t

Nov 23, 2022

A data pipeline with Kafka, Spark Streaming, dbt, Docker, Airflow, Terraform, GCP and much more!

A data pipeline with Kafka, Spark Streaming, dbt, Docker, Airflow, Terraform, GCP and much more!

Streamify A data pipeline with Kafka, Spark Streaming, dbt, Docker, Airflow, Terraform, GCP and much more! Description Objective The project will stre

Dec 30, 2022

Lambda deployed with serverless + terraform to process put object AWS S3 events and process using file stream

aws-lambda-s3-trigger This project uses a combination of serverless and terraform to create a lambda that is trigged when a csv (can be customized in

Sep 11, 2022

a pre-commit hook for finding unused variables in terraform modules and removing them.

terraform-check-unused-variables a pre-commit hook for finding unused variables in terraform modules and removing them. Scan terraform module(s) for u

Sep 6, 2022

Small python script for plotting a terraform apply process into a timeline to find hotspots and slow processes.

Small python script for plotting a terraform apply process into a timeline to find hotspots and slow processes.

tftimeline Small python script for plotting a terraform apply process into a timeline to find hotspots and slow processes. Installation Fastest recomm

Jul 5, 2022

My first attempt at a rough ETL pipeline; technologies include spark, GCS, prefect orchestration, and terraform

My first attempt at a rough ETL pipeline; technologies include spark, GCS, prefect orchestration, and terraform

Data Engineering Project #1 : Fitpipe, a hourly max heart rate ETL pipeline My first attempt at a rough ETL pipeline; technologies include spark, GCS,

Nov 17, 2022
Owner
Peter Bengtson
Peter Bengtson
Simple Bot For Notifying You When You Were Tagged In A Group, Simply This Bot Will Inform You In Your Log Group When Someone Tagged You In Ga Group

❤️ TAG INFORMER BOT ❤️ Simple Bot for Notifying You When You Were Tagged In A Group ... Written With Python and Telethon... ⭐️ Thanks to everyone for

Team Alexa 1 Oct 20, 2022
Package to simplify creating simple synthetic image datasets. You specify the background and foreground objects, the package does the rest.

ImageComposer Package to simplify creating simple synthetic image pytorch datasets for model training. You specify the background and foreground objec

George Pearse 3 Sep 9, 2022
This short script will grab the current list of sd-concepts-library/stable-diffusion-conceptualizer concepts and drop them into a directory you specify

sd-concepts-library-stable-diffusion-conceptualizer-getter This short script will grab the current list of sd-concepts-library/stable-diffusion-concep

null 5 Nov 29, 2022
Sarwagya Singh 1 Oct 9, 2022
Bank Account Simulation, it contains all the basic functions which include creating a new account, view account holders’ details, withdraws and deposit amount, picture update, transaction history and edit account details.

Bank Account Simulation Bank Account Simulation, it contains all the basic functions which include creating a new account, view account holders’ detai

Ansh D Mishra 4 Nov 2, 2022
A Python Flask Blueprints Factory-Application contains RestAPIs for User Management Service. Composed of mariadb as database resource.

Python Flask RestAPIs A Python Flask Blueprint Factory Application for RestAPIs run.py It is the entry point of the application. Your entire applicati

Asad Hussain 1 Aug 8, 2022
Authentication API server. SSO authentication via JWT for Florgon services.

Florgon auth API. Authentication API server. SSO authentication via JWT for Florgon services. See in action. API deployed and used in production here.

Florgon 24 Jan 3, 2023
Florgon Ads API. With Florgon SSO authentication.

Florgon Ads API. API server for Florgon Ads. SSO Florgon (Use your access token from Florgon with ads scope permission). Features. Publish Ads. Integr

Florgon Solutions 4 Jul 30, 2022
Starting kit for the "Layout of Smart Factory Instruments" challenge

smartfactoryinstruments-starting-kit Starting kit for the "Layout of Smart Factory Instruments" challenge In this challenge you can design an C++ or a

null 4 Sep 22, 2022
ZarrDAP is a FastAPI project that provides access to Zarr and NetCDF data in remote object storage using the Open-source Project for a Network Data Access Protocol (OPeNDAP).

ZarrDAP OPeNDAP for Zarr! ZarrDAP is a FastAPI project that provides access to Zarr and NetCDF data in remote object storage using the Open-source Pro

null 33 Dec 10, 2022