Landing Zone Accelerator on AWS - IAM Config
Used to manage all of the IAM resources across the AWS Organization
Validate with Lintel
npx @lintel/lintel checkDefinitions
IAM Assumed By Type
Defines the types of principals that can assume IAM roles. Used in IAM role trust policies to specify who or what can assume the role.
Values
- service: AWS services (e.g., ec2.amazonaws.com, lambda.amazonaws.com)
- account: AWS account IDs or root accounts
- principalArn: Specific IAM user, role, or federated user ARNs
- provider: Identity providers for federated access (SAML, OIDC)
Defines the configuration for an Amazon EC2 Windows instance that will automatically configure and manage the AWS Managed Microsoft Active Directory. This instance acts as a domain-joined management server that runs PowerShell scripts to set up users, groups, organizational units, password policies, and other Active Directory configurations.
The configuration instance provides automated setup of the directory structure, eliminating the need for manual Active Directory administration. It can create standardized user accounts, security groups, and organizational structures that integrate with AWS services like Identity Center and AWS Directory Service connectors.
This approach ensures consistent directory configuration across deployments and provides infrastructure-as-code management of Active Directory resources.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
List of Active Directory security groups to create in the managed directory.
Defines the password policy configuration for the AWS Managed Microsoft Active Directory domain. Password policies enforce security requirements for user passwords, including complexity requirements, expiration settings, and account lockout policies to protect against brute force attacks.
These settings apply to all user accounts in the domain and help ensure compliance with organizational security standards and regulatory requirements. The policy is enforced by the domain controllers and affects both interactive logons and programmatic authentication.
9 nested properties
Whether password complexity requirements are enforced.
Number of failed login attempts before the account is locked out.
Number of previous passwords to remember and prevent reuse.
Time in minutes after which the failed login attempt counter is reset.
Account lockout duration in minutes.
Maximum password age in days before users must change their password.
Minimum password age in days before users can change their password again.
Minimum password length in characters.
Whether passwords can be stored using reversible encryption.
List of per-account Active Directory groups to create.
List of Active Directory users to create in the managed directory.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
List of CIDR blocks or IP addresses that are allowed inbound access to the configuration instance.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
List of PowerShell scripts that will be executed on the configuration instance to set up the Active Directory environment.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Whether to enable termination protection for the configuration instance.
Defines a PowerShell script that will be executed on the Active Directory configuration instance during startup. These scripts automate the setup and configuration of the AWS Managed Microsoft Active Directory, including tasks like domain joining, user creation, group setup, and policy configuration.
The scripts are executed in the order they are specified in the userDataScripts array. The Landing Zone Accelerator provides sample scripts for common Active Directory setup tasks, but you can customize these or provide your own scripts to meet specific requirements.
All scripts must be PowerShell scripts (.ps1 or .psm1 files) and must be present in your configuration repository at the specified paths.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Defines the password policy configuration for the AWS Managed Microsoft Active Directory domain. Password policies enforce security requirements for user passwords, including complexity requirements, expiration settings, and account lockout policies to protect against brute force attacks.
These settings apply to all user accounts in the domain and help ensure compliance with organizational security standards and regulatory requirements. The policy is enforced by the domain controllers and affects both interactive logons and programmatic authentication.
Whether password complexity requirements are enforced.
Number of failed login attempts before the account is locked out.
Number of previous passwords to remember and prevent reuse.
Time in minutes after which the failed login attempt counter is reset.
Account lockout duration in minutes.
Maximum password age in days before users must change their password.
Minimum password age in days before users can change their password again.
Minimum password length in characters.
Whether passwords can be stored using reversible encryption.
Defines a user account to be created in the AWS Managed Microsoft Active Directory. These users can be used for human authentication, service accounts for AWS integrations, or connector accounts for AWS services that need to authenticate to the directory.
Users created through this configuration will be standard Active Directory user accounts with the specified group memberships and email attributes. They can be used for authentication to AWS services through Identity Center.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
List of Active Directory groups that this user should be added to.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Defines the trust relationship for an IAM role by specifying which principals (entities) can assume the role. The trust relationship is a key component of IAM roles that determines who or what can use the role to access AWS resources.
This configuration creates the trust policy (assume role policy) that gets attached to the IAM role, allowing the specified principals to call the AWS Security Token Service (STS) AssumeRole API operation.
IAM Assumed By Type
Defines the types of principals that can assume IAM roles. Used in IAM role trust policies to specify who or what can assume the role.
Values
- service: AWS services (e.g., ec2.amazonaws.com, lambda.amazonaws.com)
- account: AWS account IDs or root accounts
- principalArn: Specific IAM user, role, or federated user ARNs
- provider: Identity providers for federated access (SAML, OIDC)
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Defines a reference to a customer managed IAM policy to use as a permissions boundary for Identity Center permission sets. This configuration specifies the name and path of an existing customer managed policy that will limit the maximum permissions granted by the permission set.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Deployment Targets Interface
Defines where AWS resources should be deployed within your AWS organization. This interface provides flexible targeting options for resource deployment across accounts, organizational units, and regions.
Key Features
- Account-level targeting: Deploy to specific AWS accounts
- OU-level targeting: Deploy to all accounts within organizational units
- Regional exclusions: Skip specific AWS regions for compliance or cost optimization
- Account exclusions: Exclude specific accounts from broader deployments
Example
yaml deploymentTargets: organizationalUnits: - Production - Development excludedAccounts: - Management excludedRegions: - us-west-1
Target Accounts (Optional)
List of specific account names where resources should be deployed. Use for precise account-level targeting.
Excluded Accounts (Optional)
List of account names to exclude from deployment. Takes precedence over organizational unit and account inclusions.
Excluded Regions (Optional)
List of AWS regions to exclude from deployment. Useful for compliance requirements or cost optimization.
Organizational Units (Optional)
List of organizational unit names where resources should be deployed. When specified, resources will be created in all accounts within these OUs.
Defines an AWS IAM group configuration. IAM groups are collections of IAM users that make it easier to manage permissions for multiple users. Instead of attaching policies to individual users, you can attach policies to groups and then add users to the appropriate groups.
Groups provide a way to organize users and apply common permissions. When you add a user to a group, the user inherits all the permissions assigned to that group through attached policies. Users can belong to multiple groups and will have the combined permissions of all their groups.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Defines the IAM policies to attach to a group or role. Policies grant permissions by defining what actions are allowed or denied on which AWS resources. This configuration supports both AWS managed policies (created and maintained by AWS) and customer managed policies (created and maintained by you).
AWS managed policies are standalone policies that are created and maintained by AWS. They typically grant permissions for common use cases and are updated by AWS when new services or features are released.
Customer managed policies are standalone policies that you create and maintain in your AWS account. They provide more precise control over permissions than AWS managed policies.
2 nested properties
List of AWS managed policies to attach. Values can be policy ARNs or policy names.
List of customer managed policy names to attach.
Defines a collection of IAM groups to be deployed to specific AWS accounts or organizational units. Group sets provide a way to consistently deploy the same set of groups with their associated policies across multiple accounts in your AWS organization, ensuring standardized permission structures and access management.
This is particularly useful for establishing consistent organizational roles (like Administrators, Developers, ReadOnly users) across all accounts in your organization with the same permissions and access patterns.
Deployment Targets Interface
Defines where AWS resources should be deployed within your AWS organization. This interface provides flexible targeting options for resource deployment across accounts, organizational units, and regions.
Key Features
- Account-level targeting: Deploy to specific AWS accounts
- OU-level targeting: Deploy to all accounts within organizational units
- Regional exclusions: Skip specific AWS regions for compliance or cost optimization
- Account exclusions: Exclude specific accounts from broader deployments
Example
yaml deploymentTargets: organizationalUnits: - Production - Development excludedAccounts: - Management excludedRegions: - us-west-1
4 nested properties
Target Accounts (Optional)
List of specific account names where resources should be deployed. Use for precise account-level targeting.
Excluded Accounts (Optional)
List of account names to exclude from deployment. Takes precedence over organizational unit and account inclusions.
Excluded Regions (Optional)
List of AWS regions to exclude from deployment. Useful for compliance requirements or cost optimization.
Organizational Units (Optional)
List of organizational unit names where resources should be deployed. When specified, resources will be created in all accounts within these OUs.
List of IAM groups to create in the targeted accounts.
AWS Identity and Access Management (IAM) configuration for the Landing Zone Accelerator. This configuration defines IAM identities (users, groups, roles), policies, and related services like SAML providers, AWS Managed Microsoft AD, and AWS Identity Center.
IAM enables you to manage access to AWS services and resources securely. Using IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources.
IAM group sets configuration.
The primary AWS region where global IAM resources will be managed and deployed.
Defines AWS Identity Center (formerly known as AWS Single Sign-On (SSO) Identity Center) configuration for centralized access management across your AWS organization. Identity Center enables you to create or connect your workforce identities and centrally manage their access to multiple AWS accounts and applications.
Identity Center provides a single place where you can create users and groups, or connect to your existing identity source (such as Microsoft Active Directory), and assign their level of access to each AWS account in your organization. Users get a user portal where they can find and access all their assigned AWS accounts and applications in one place.
This configuration allows you to define permission sets (collections of policies) and assignments (which users/groups get which permissions in which accounts).
4 nested properties
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
List of assignments that grant users or groups access to AWS accounts using permission sets. Assignments determine which users can access which accounts with what level of permissions.
List of permission sets to create in AWS Identity Center. Permission sets define collections of policies that determine what actions users can perform when they access AWS accounts.
AWS Managed Microsoft AD creates a fully managed Microsoft Active Directory in the AWS Cloud. It enables you to run directory-aware workloads in AWS, including Microsoft SharePoint, Microsoft SQL Server Always On Availability Groups, and .NET applications.
IAM managed policy sets configuration.
SAML identity provider configuration for federated access to AWS.
Role sets configuration
IAM user sets configuration.
Defines an Identity Center assignment that grants users or groups access to AWS accounts with specific permissions. Assignments are the mechanism that connects your identity source (users and groups) with AWS accounts and the level of access they should have (permission sets).
When you create an assignment, Identity Center creates an IAM role in the target AWS account based on the permission set configuration. Users or groups can then assume this role to access AWS resources with the permissions defined in the permission set.
Assignments can target specific AWS accounts or entire organizational units, and can be made to individual users or groups of users.
Deployment Targets Interface
Defines where AWS resources should be deployed within your AWS organization. This interface provides flexible targeting options for resource deployment across accounts, organizational units, and regions.
Key Features
- Account-level targeting: Deploy to specific AWS accounts
- OU-level targeting: Deploy to all accounts within organizational units
- Regional exclusions: Skip specific AWS regions for compliance or cost optimization
- Account exclusions: Exclude specific accounts from broader deployments
Example
yaml deploymentTargets: organizationalUnits: - Production - Development excludedAccounts: - Management excludedRegions: - us-west-1
4 nested properties
Target Accounts (Optional)
List of specific account names where resources should be deployed. Use for precise account-level targeting.
Excluded Accounts (Optional)
List of account names to exclude from deployment. Takes precedence over organizational unit and account inclusions.
Excluded Regions (Optional)
List of AWS regions to exclude from deployment. Useful for compliance requirements or cost optimization.
Organizational Units (Optional)
List of organizational unit names where resources should be deployed. When specified, resources will be created in all accounts within these OUs.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
IAM Principal Type
Defines the types of IAM principals that can be referenced in policies and access control configurations.
Values
- USER: IAM users (individual identities)
- GROUP: IAM groups (collections of users)
List of principals (users or groups) to grant access to the specified AWS accounts.
Defines a principal (user or group) for Identity Center permission set assignments. Principals are the identities from your identity source that will be granted access to AWS accounts through Identity Center assignments.
This configuration allows you to specify principals by their human-readable names rather than internal IDs, making the configuration more maintainable and easier to understand. The accelerator will resolve these names to the appropriate internal identifiers during deployment.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Defines AWS Identity Center (formerly known as AWS Single Sign-On (SSO) Identity Center) configuration for centralized access management across your AWS organization. Identity Center enables you to create or connect your workforce identities and centrally manage their access to multiple AWS accounts and applications.
Identity Center provides a single place where you can create users and groups, or connect to your existing identity source (such as Microsoft Active Directory), and assign their level of access to each AWS account in your organization. Users get a user portal where they can find and access all their assigned AWS accounts and applications in one place.
This configuration allows you to define permission sets (collections of policies) and assignments (which users/groups get which permissions in which accounts).
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
List of assignments that grant users or groups access to AWS accounts using permission sets. Assignments determine which users can access which accounts with what level of permissions.
List of permission sets to create in AWS Identity Center. Permission sets define collections of policies that determine what actions users can perform when they access AWS accounts.
Defines an AWS Identity Center permission set configuration. Permission sets are templates that define a collection of policies and permissions that determine what users and groups can access within AWS accounts. They act as a bridge between your identity source (users and groups) and AWS accounts, defining what level of access identities have when they access AWS resources.
Permission sets are assigned to users or groups for specific AWS accounts, creating the actual access permissions. When users sign in through Identity Center, they can assume roles based on their permission set assignments to access AWS resources.
Each permission set can include AWS managed policies, customer managed policies, inline policies, and permissions boundaries to provide fine-grained access control.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Defines the policy configuration for an Identity Center permission set. This configuration specifies which policies will be attached to the permission set to define the permissions that users will have when they assume roles created from this permission set.
Identity Center supports multiple types of policies that can be combined to create the exact permissions needed: AWS managed policies (maintained by AWS), customer managed policies (maintained by you), accelerator managed policies (created by the Landing Zone Accelerator), inline policies (embedded directly in the permission set), and permissions boundaries (to limit maximum permissions).
5 nested properties
List of accelerator-managed policy names to attach to this permission set.
List of AWS managed policies to attach to this permission set.
List of customer managed policy names to attach to this permission set.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Defines a permissions boundary configuration for Identity Center permission sets. A permissions boundary is an advanced IAM feature that sets the maximum permissions that an identity-based policy can grant to an IAM entity. When applied to a permission set, it limits the effective permissions to the intersection of the permission set's policies and the permissions boundary.
Permissions boundaries are useful for delegating permission management while maintaining security guardrails. They allow you to grant users the ability to create and manage IAM entities while ensuring those entities cannot exceed certain permission limits.
Specify either customerManagedPolicy to use the name and path of a customer managed policy, or managedPolicy to use the ARN of an AWS managed policy.
2 nested properties
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Defines a reference to a customer managed IAM policy to use as a permissions boundary for Identity Center permission sets. This configuration specifies the name and path of an existing customer managed policy that will limit the maximum permissions granted by the permission set.
The length of time (in minutes) that users can stay signed in to their AWS session.
Defines the policy configuration for an Identity Center permission set. This configuration specifies which policies will be attached to the permission set to define the permissions that users will have when they assume roles created from this permission set.
Identity Center supports multiple types of policies that can be combined to create the exact permissions needed: AWS managed policies (maintained by AWS), customer managed policies (maintained by you), accelerator managed policies (created by the Landing Zone Accelerator), inline policies (embedded directly in the permission set), and permissions boundaries (to limit maximum permissions).
List of accelerator-managed policy names to attach to this permission set.
List of AWS managed policies to attach to this permission set.
List of customer managed policy names to attach to this permission set.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Defines a permissions boundary configuration for Identity Center permission sets. A permissions boundary is an advanced IAM feature that sets the maximum permissions that an identity-based policy can grant to an IAM entity. When applied to a permission set, it limits the effective permissions to the intersection of the permission set's policies and the permissions boundary.
Permissions boundaries are useful for delegating permission management while maintaining security guardrails. They allow you to grant users the ability to create and manage IAM entities while ensuring those entities cannot exceed certain permission limits.
Specify either customerManagedPolicy to use the name and path of a customer managed policy, or managedPolicy to use the ARN of an AWS managed policy.
2 nested properties
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Defines a reference to a customer managed IAM policy to use as a permissions boundary for Identity Center permission sets. This configuration specifies the name and path of an existing customer managed policy that will limit the maximum permissions granted by the permission set.
2 nested properties
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Defines an AWS Managed Microsoft Active Directory configuration. AWS Managed Microsoft AD is a fully managed Microsoft Active Directory service in the AWS Cloud. It provides a highly available, resilient Active Directory infrastructure that can be used for user authentication, group policies, and integration with other AWS services.
This service enables you to run directory-aware workloads in the AWS Cloud, including Microsoft SharePoint, Microsoft SQL Server Always On Availability Groups, and .NET applications. It also supports integration with AWS services like Amazon WorkSpaces, Amazon QuickSight, and AWS Single Sign-On (Identity Center).
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
The edition of AWS Managed Microsoft AD to deploy.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
The AWS region where the managed Active Directory will be deployed.
Defines the VPC network configuration for AWS Managed Microsoft Active Directory. The directory requires network connectivity within a VPC to provide domain services to EC2 instances and other AWS resources. The directory domain controllers will be deployed in the specified subnets and will provide DNS and authentication services to resources in the VPC.
For high availability and fault tolerance, the directory requires at least two subnets in different Availability Zones. The directory will automatically deploy domain controllers across these subnets to ensure service availability.
2 nested properties
List of subnet names where the directory domain controllers will be deployed.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Defines the configuration for an Amazon EC2 Windows instance that will automatically configure and manage the AWS Managed Microsoft Active Directory. This instance acts as a domain-joined management server that runs PowerShell scripts to set up users, groups, organizational units, password policies, and other Active Directory configurations.
The configuration instance provides automated setup of the directory structure, eliminating the need for manual Active Directory administration. It can create standardized user accounts, security groups, and organizational structures that integrate with AWS services like Identity Center and AWS Directory Service connectors.
This approach ensures consistent directory configuration across deployments and provides infrastructure-as-code management of Active Directory resources.
13 nested properties
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
List of Active Directory security groups to create in the managed directory.
Defines the password policy configuration for the AWS Managed Microsoft Active Directory domain. Password policies enforce security requirements for user passwords, including complexity requirements, expiration settings, and account lockout policies to protect against brute force attacks.
These settings apply to all user accounts in the domain and help ensure compliance with organizational security standards and regulatory requirements. The policy is enforced by the domain controllers and affects both interactive logons and programmatic authentication.
9 nested properties
Whether password complexity requirements are enforced.
Number of failed login attempts before the account is locked out.
Number of previous passwords to remember and prevent reuse.
Time in minutes after which the failed login attempt counter is reset.
Account lockout duration in minutes.
Maximum password age in days before users must change their password.
Minimum password age in days before users can change their password again.
Minimum password length in characters.
Whether passwords can be stored using reversible encryption.
List of per-account Active Directory groups to create.
List of Active Directory users to create in the managed directory.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
List of CIDR blocks or IP addresses that are allowed inbound access to the configuration instance.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
List of PowerShell scripts that will be executed on the configuration instance to set up the Active Directory environment.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Whether to enable termination protection for the configuration instance.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Defines the logging configuration for AWS Managed Microsoft Active Directory. Directory logging captures security events, authentication attempts, group policy applications, and other directory activities in Amazon CloudWatch Logs for monitoring, troubleshooting, and compliance auditing.
Directory logs provide valuable insights into user authentication patterns, failed login attempts, group membership changes, and other security-relevant events. This information is essential for security monitoring, incident response, and meeting compliance requirements.
Logs are automatically forwarded from the directory domain controllers to the specified CloudWatch log group, where they can be searched, filtered, and analyzed using CloudWatch Logs Insights or exported to other analysis tools.
2 nested properties
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
The number of days to retain log events in the CloudWatch log group.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Defines the configuration for storing AWS Managed Microsoft Active Directory administrator credentials in AWS Secrets Manager. When a managed directory is created, AWS automatically generates administrator credentials that can be securely stored and retrieved from Secrets Manager.
This configuration allows you to specify where the administrator secret should be stored, providing secure access to directory administration capabilities without hardcoding credentials in your infrastructure code.
3 nested properties
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
The AWS region where the administrator secret will be stored.
List of AWS account names to share the directory with directly.
Defines the organizational unit (OU) sharing configuration for AWS Managed Microsoft Active Directory. Directory sharing allows other AWS accounts in your organization to use the managed Active Directory for authentication and authorization, enabling centralized identity management across multiple accounts.
When you share a directory with other accounts, those accounts can:
- Join EC2 instances to the domain
- Use the directory for AWS Single Sign-On (Identity Center) authentication
- Access directory information for applications and services
- Authenticate users and groups from the shared directory
This configuration allows you to specify which organizational units should have access to the directory, with optional exclusions for specific accounts that should not have access.
2 nested properties
List of organizational unit names that should have access to the managed Active Directory.
List of AWS account names that should be excluded from directory sharing, even if they are in the specified organizational units.
Defines the logging configuration for AWS Managed Microsoft Active Directory. Directory logging captures security events, authentication attempts, group policy applications, and other directory activities in Amazon CloudWatch Logs for monitoring, troubleshooting, and compliance auditing.
Directory logs provide valuable insights into user authentication patterns, failed login attempts, group membership changes, and other security-relevant events. This information is essential for security monitoring, incident response, and meeting compliance requirements.
Logs are automatically forwarded from the directory domain controllers to the specified CloudWatch log group, where they can be searched, filtered, and analyzed using CloudWatch Logs Insights or exported to other analysis tools.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
The number of days to retain log events in the CloudWatch log group.
Defines the configuration for storing AWS Managed Microsoft Active Directory administrator credentials in AWS Secrets Manager. When a managed directory is created, AWS automatically generates administrator credentials that can be securely stored and retrieved from Secrets Manager.
This configuration allows you to specify where the administrator secret should be stored, providing secure access to directory administration capabilities without hardcoding credentials in your infrastructure code.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
The AWS region where the administrator secret will be stored.
Defines the VPC network configuration for AWS Managed Microsoft Active Directory. The directory requires network connectivity within a VPC to provide domain services to EC2 instances and other AWS resources. The directory domain controllers will be deployed in the specified subnets and will provide DNS and authentication services to resources in the VPC.
For high availability and fault tolerance, the directory requires at least two subnets in different Availability Zones. The directory will automatically deploy domain controllers across these subnets to ensure service availability.
List of subnet names where the directory domain controllers will be deployed.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Defines a permissions boundary configuration for Identity Center permission sets. A permissions boundary is an advanced IAM feature that sets the maximum permissions that an identity-based policy can grant to an IAM entity. When applied to a permission set, it limits the effective permissions to the intersection of the permission set's policies and the permissions boundary.
Permissions boundaries are useful for delegating permission management while maintaining security guardrails. They allow you to grant users the ability to create and manage IAM entities while ensuring those entities cannot exceed certain permission limits.
Specify either customerManagedPolicy to use the name and path of a customer managed policy, or managedPolicy to use the ARN of an AWS managed policy.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Defines a reference to a customer managed IAM policy to use as a permissions boundary for Identity Center permission sets. This configuration specifies the name and path of an existing customer managed policy that will limit the maximum permissions granted by the permission set.
2 nested properties
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Defines the IAM policies to attach to a group or role. Policies grant permissions by defining what actions are allowed or denied on which AWS resources. This configuration supports both AWS managed policies (created and maintained by AWS) and customer managed policies (created and maintained by you).
AWS managed policies are standalone policies that are created and maintained by AWS. They typically grant permissions for common use cases and are updated by AWS when new services or features are released.
Customer managed policies are standalone policies that you create and maintain in your AWS account. They provide more precise control over permissions than AWS managed policies.
List of AWS managed policies to attach. Values can be policy ARNs or policy names.
List of customer managed policy names to attach.
Defines an AWS IAM Customer managed policy that will be created and managed by the accelerator. IAM managed policies are standalone identity-based policies that you can attach to multiple users, groups, or roles in your AWS account. Unlike inline policies, managed policies have their own Amazon Resource Name (ARN) and can be versioned.
The policy document content is read from a JSON file in your configuration repository, allowing you to define complex permissions using standard IAM policy syntax.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Defines a collection of IAM managed policies to be deployed to specific AWS accounts or organizational units. Policy sets provide a way to consistently deploy custom managed policies across multiple accounts in your AWS organization, ensuring standardized permission definitions that can be referenced by roles, groups, and users.
Managed policies created through policy sets can be used as permissions boundaries, attached to IAM entities, or referenced in Identity Center permission sets. This provides a centralized way to define and maintain custom permissions across your organization.
Deployment Targets Interface
Defines where AWS resources should be deployed within your AWS organization. This interface provides flexible targeting options for resource deployment across accounts, organizational units, and regions.
Key Features
- Account-level targeting: Deploy to specific AWS accounts
- OU-level targeting: Deploy to all accounts within organizational units
- Regional exclusions: Skip specific AWS regions for compliance or cost optimization
- Account exclusions: Exclude specific accounts from broader deployments
Example
yaml deploymentTargets: organizationalUnits: - Production - Development excludedAccounts: - Management excludedRegions: - us-west-1
4 nested properties
Target Accounts (Optional)
List of specific account names where resources should be deployed. Use for precise account-level targeting.
Excluded Accounts (Optional)
List of account names to exclude from deployment. Takes precedence over organizational unit and account inclusions.
Excluded Regions (Optional)
List of AWS regions to exclude from deployment. Useful for compliance requirements or cost optimization.
Organizational Units (Optional)
List of organizational unit names where resources should be deployed. When specified, resources will be created in all accounts within these OUs.
List of IAM managed policies to create in the targeted accounts.
Indicates whether these policies are used in AWS Identity Center permission set assignments.
Defines an AWS IAM role configuration. IAM roles are AWS identities with specific permissions that can be assumed by trusted entities such as AWS services, users, or applications. Unlike IAM users, roles don't have permanent credentials - instead, they provide temporary security credentials when assumed.
Roles are commonly used for cross-account access, service-to-service authentication, and providing temporary access to AWS resources without embedding long-term credentials.
List of principals that can assume this role and their trust relationship configuration.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
List of external IDs that must be provided when assuming this role.
Specifies whether to create an EC2 instance profile for this role.
Defines the IAM policies to attach to a group or role. Policies grant permissions by defining what actions are allowed or denied on which AWS resources. This configuration supports both AWS managed policies (created and maintained by AWS) and customer managed policies (created and maintained by you).
AWS managed policies are standalone policies that are created and maintained by AWS. They typically grant permissions for common use cases and are updated by AWS when new services or features are released.
Customer managed policies are standalone policies that you create and maintain in your AWS account. They provide more precise control over permissions than AWS managed policies.
2 nested properties
List of AWS managed policies to attach. Values can be policy ARNs or policy names.
List of customer managed policy names to attach.
Defines a collection of IAM roles to be deployed to specific AWS accounts or organizational units. Role sets provide a way to consistently deploy the same set of roles with their trust relationships and permissions across multiple accounts in your AWS organization, ensuring standardized access patterns for services, cross-account access, and federated users.
This is particularly useful for creating service roles (like EC2 instance roles), cross-account access roles, or federated access roles that need to exist across multiple accounts with consistent configurations.
Deployment Targets Interface
Defines where AWS resources should be deployed within your AWS organization. This interface provides flexible targeting options for resource deployment across accounts, organizational units, and regions.
Key Features
- Account-level targeting: Deploy to specific AWS accounts
- OU-level targeting: Deploy to all accounts within organizational units
- Regional exclusions: Skip specific AWS regions for compliance or cost optimization
- Account exclusions: Exclude specific accounts from broader deployments
Example
yaml deploymentTargets: organizationalUnits: - Production - Development excludedAccounts: - Management excludedRegions: - us-west-1
4 nested properties
Target Accounts (Optional)
List of specific account names where resources should be deployed. Use for precise account-level targeting.
Excluded Accounts (Optional)
List of account names to exclude from deployment. Takes precedence over organizational unit and account inclusions.
Excluded Regions (Optional)
List of AWS regions to exclude from deployment. Useful for compliance requirements or cost optimization.
Organizational Units (Optional)
List of organizational unit names where resources should be deployed. When specified, resources will be created in all accounts within these OUs.
List of IAM roles to create in the targeted accounts.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Defines a Security Assertion Markup Language (SAML) 2.0 identity provider configuration for AWS IAM. SAML providers enable federated access to AWS resources by allowing users to authenticate with external identity providers (such as Microsoft Active Directory, Okta, or Azure AD) and assume AWS IAM roles without needing separate AWS credentials.
This configuration creates an IAM SAML identity provider that can be referenced in role trust policies to enable single sign-on (SSO) access to AWS.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Defines an AWS IAM user configuration. IAM users are identities with long-term credentials that can be used to access AWS services and resources. Each user has a unique name within the AWS account and can be assigned to groups, have policies attached directly, and optionally have AWS Management Console access with a password.
IAM users are typically used for individual people or applications that need programmatic access to AWS services with either the AWS Console, AWS CLI or AWS SDK. For console access, users can be granted a password to sign in to the AWS Management Console.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Controls whether the user can access the AWS Management Console with a password.
Defines a collection of IAM users to be deployed to specific AWS accounts or organizational units. User sets provide a way to consistently deploy the same set of users across multiple accounts in your AWS organization, ensuring standardized access patterns and user management.
This is particularly useful for creating break-glass users, service accounts, or other administrative users that need to exist across multiple accounts with consistent configurations.
Deployment Targets Interface
Defines where AWS resources should be deployed within your AWS organization. This interface provides flexible targeting options for resource deployment across accounts, organizational units, and regions.
Key Features
- Account-level targeting: Deploy to specific AWS accounts
- OU-level targeting: Deploy to all accounts within organizational units
- Regional exclusions: Skip specific AWS regions for compliance or cost optimization
- Account exclusions: Exclude specific accounts from broader deployments
Example
yaml deploymentTargets: organizationalUnits: - Production - Development excludedAccounts: - Management excludedRegions: - us-west-1
4 nested properties
Target Accounts (Optional)
List of specific account names where resources should be deployed. Use for precise account-level targeting.
Excluded Accounts (Optional)
List of account names to exclude from deployment. Takes precedence over organizational unit and account inclusions.
Excluded Regions (Optional)
List of AWS regions to exclude from deployment. Useful for compliance requirements or cost optimization.
Organizational Units (Optional)
List of organizational unit names where resources should be deployed. When specified, resources will be created in all accounts within these OUs.
List of IAM users to create in the targeted accounts.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
IAM Principal Type
Defines the types of IAM principals that can be referenced in policies and access control configurations.
Values
- USER: IAM users (individual identities)
- GROUP: IAM groups (collections of users)