Browse by type
De-couple life cycle management of different SSO objects and other features

AWS IAM Identity Center Extensions for Enterprise simplifies the process to manage user access to AWS accounts with AWS IAM Identity Center by extending the AWS IAM Identity Center API.
Instead of separately managing AWS IAM Identity Center permission sets and account assignments, you can use this solution to describe permission sets with one API call per set. Like with permission sets, you can also define and implement account assignments at a global level, an organizational unit level or an account tag level. The solution ensures your defined permissions are rolled out across the entire AWS Organization, and that they are updated as you change your organization.
This solution can be used by your identity and access management team to simplify user access provisioning at scale, either via a RESTFul API or by defining and setting objects with your permissions descriptions in an S3 bucket. This enables you to integrate with upstream identity management systems you have in your organization.
Get started with the deployment!
This solution provides a composite API for managing permission set lifecycles, allowing you to:
Example payload to create a permission set
{
"action": "create",
"permissionSetData": {
"permissionSetName": "CloudOperator-ps",
"sessionDurationInMinutes": "240",
"relayState": "https://{{region}}.console.aws.amazon.com/console/home?region={{region}}#",
"tags": [
{
"Key": "versionid",
"Value": "01"
},
{
"Key": "team",
"Value": "CloudOperators"
}
],
"managedPoliciesArnList": [
"arn:aws:iam::aws:policy/job-function/SystemAdministrator",
"arn:aws:iam::aws:policy/job-function/NetworkAdministrator"
],
"inlinePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:AddRoleToInstanceProfile",
"iam:CreateInstanceProfile",
"iam:CreatePolicy",
"iam:CreatePolicyVersion",
"iam:DeleteInstanceProfile",
"iam:DeletePolicy",
"iam:DeleteRole",
"iam:PassRole",
"iam:UpdateRole",
"iam:DeleteRolePermissionsBoundary",
"iam:UpdateRoleDescription",
"iam:RemoveRoleFromInstanceProfile"
],
"Resource": [
"arn:aws:iam::*:role/Application_*",
"arn:aws:iam::*:policy/Application_*",
"arn:aws:iam::*:instance-profile/Application_*"
],
"Effect": "Allow",
"Sid": "AllowOtherIAMActions"
},
{
"Action": ["iam:List*", "iam:Generate*", "iam:Get*", "iam:Simulate*"],
"Resource": "*",
"Effect": "Allow",
"Sid": "AllowReadIAMActions"
}
]
},
"customerManagedPoliciesList": [
{
"Name": "cmp-1",
"Path": "/cmp/1/"
},
{
"Name": "cmp-2",
"Path": "/cmp/2/"
},
{
"Name": "cmp-3"
}
],
"permissionsBoundary": {
"ManagedPolicyArn": "arn:aws:iam::aws:policy/job-function/NetworkAdministrator"
}
}
}
Example payload to update a permission set
{
"action": "update",
"permissionSetData": {
"permissionSetName": "CloudOperator-ps",
"sessionDurationInMinutes": "420",
"relayState": "https://{{region}}.console.aws.amazon.com/console/home?region={{region}}#",
"tags": [
{
"Key": "versionid",
"Value": "02"
},
{
"Key": "team",
"Value": "CloudOperators"
}
],
"managedPoliciesArnList": [
"arn:aws:iam::aws:policy/job-function/SystemAdministrator",
"arn:aws:iam::aws:policy/job-function/NetworkAdministrator",
"arn:aws:iam::aws:policy/AWSHealthFullAccess"
],
"inlinePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": ["iam:List*", "iam:Generate*", "iam:Get*", "iam:Simulate*"],
"Resource": "*",
"Effect": "Allow",
"Sid": "AllowReadIAMActions"
}
]
},
"customerManagedPoliciesList": [
{
"Name": "cmp-1",
"Path": "/cmp/1/"
},
{
"Name": "cmp-2",
"Path": "/cmp/2/"
},
{
"Name": "cmp-3"
}
],
"permissionsBoundary": {
"CustomerManagedPolicyReference": {
"Name": "cmp-pb",
"Path": "/cmp/pb/"
}
}
}
}
Example payload to delete a permission set
{
"action": "delete",
"permissionSetData": {
"permissionSetName": "CloudOperator-ps"
}
}
This solution enables enterprise friendly account assignment lifecycles through the following features:
SupportNestedOU to true in your environment configuration file. When configured, the solution discovers all the children under a specified ou_id traversing the complete tree and assigning the account assignment to every single account under the tree.NOTE: Permission sets and user/group assignments cannot be applied to the Organization Main account (also known as the Master Payer) due to a design constraint of the AWS API. There is no available mechanism to programmatically manage the permission sets and user/group assignments of the Organization Main account.
Example payload to provision permission set CloudOperator-ps for all accounts in your organization and provide access to team-CloudOperators user group
{
"action": "create",
"linkData": "root%all%CloudOperator-ps%team-CloudOperators%GROUP%ssofile"
}
Example payload to provision permission set SecurityAuditor-ps for all accounts in your organization unit with ID ou-id12345 and provide access to team-SecurityAuditors user group
{
"action": "create",
"linkData": "ou_id%ou-id12345%SecurityAuditor-ps%team-SecurityAuditors%GROUP%ssofile"
}
Example payload to provision permission set DataScientist-ps for all accounts that have tagkey team set to value DataScientists and provide access to team-DataScientists user group
{
"action": "create",
"linkData": "account_tag%team^DataScientists%DataScientist-ps%team-DataScientists%GROUP%ssofile"
}
Example payload to provision permission set Billing-ps for account 123456789012 and provide access to team-Accountants user group
{
"action": "create",
"linkData": "account%123456789012%Billing-ps%team-Accountants%GROUP%ssofile"
}
Example payload to provision permission set Breakglass-ps for all accounts in your organization and provide access to break-glass user
{
"action": "create",
"linkData": "root%all%Breakglass-ps%break-glass%USER%ssofile"
}
The solution provides automated change access management through the following features:
SupportNestedOU to true in your environment configuration file. If the nested OU support is configured, when an account moves from a source OU to a destination OU, the solution discovers all the parents of the source OU and destination OU until root , to determine the list of account assignments that need to be removed/added automatically.ImportCurrentSSOConfiguration flag in the configuration file, the solution would import all existing permission sets and account assignments so that they could be updated/deleted through the solution interfacesaccount scope typesenv-importCurrentConfigSM state machine in your AWS IAM Identity Center account and AWS IAM Identity Center region could be run as many times as you require. You could refer to the execution input that the solution uses as part of the pipeline deployment for reference.$ claude mcp add aws-iam-identity-center-extensions \
-- python -m otcore.mcp_server <graph>