Create AWS role groups in an external directory

To access each Amazon Web Services (AWS) account, you need to create groups in an external directory for each AWS role for each of these accounts. A filter uses these group names to associate them with the corresponding AWS roles.

  1. Create AWS role-specific groups in your directory using one of the following methods:

    • Run a script to create external-directory groups for each role in each account

      This option offers the greatest possibility of automation but requires coordination between your AWS and external-directory management teams for the script to be configured.

    • CSV file export from AWS

      If a scripting approach between AWS and the external directory isn't possible, a simpler approach may be to export to a CSV file a list of role names for each of your AWS accounts. You can then provide the list to your external-directory administration teams. From there, they can manage the creation of AWS role groups without any sort of dependencies or direct integration with your AWS accounts themselves.

    • Manual creation of AWS role groups in the external directory

      This is the simplest method. However, it requires upkeep and ample setup time to create groups in the external directory for each of the roles in each of your accounts.

  2. Create an organizational unit (OU) in your directory to contain all AWS role-specific groups to be associated with AWS roles (for example, AWS Role Groups and AWS Entitlements).

  3. Using a standard syntax, create external directory-security groups for each role.

    Recommended syntax:

    aws#[account alias]#[role name]#[account #]

    Example:

    aws#northamerica-production#Tier1_Support#828416469395

    Also available is a Regex expression to filter AWS-related groups and extract accountid and role.

    Example:

    aws_(?{{accountid}}\d+)_(?{{role}}[a-zA-Z0-9+=,.@\-_]+)

If you use your own group syntax, make sure to include an account alias, role name, and account # with recognizable delimiters between each. You'll also need to create a custom regex expression.

Next steps

Create management groups to map users to AWS accounts and roles