Create AWS role groups in an external directory

To access each Amazon Web Services (AWS) account, you need to create groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. in an external directory for each AWS role for each of these accounts. These group names are utilized by a filter to associate them with the corresponding AWS roles.

  1. Create AWS role-specific groups in your directory using one of the following methods:

    • Run a script to create external-directory groups for each role in each account.

      This option offers the greatest possibility of automation, but requires coordination between your AWS management teams and external-directory management teams for the script to be configured.

    • CSV file export from AWS

      If a scripting approach between AWS and the external directory is not possible, a lighter weight approach may be to export a list of role names for each of your AWS accounts in a CSV file that you provide to your external-directory administration teams. From there, they can manage the creation of AWS role groups however they see fit without any sort of dependencies or direct integration with your AWS accounts themselves.

    • Manual creation of AWS role groups in the external directory

      This is the simplest method; however, it requires upkeep as well as ample set up time to create groups in the external directory for each of the roles in each of your accounts.

  1. Create an organizational unit (OUAn acronym of Organizational Unit. Organizational units are Active Directory containers into which you can place users, groups, computers, and other organizational units. It is the smallest scope or unit to which you can assign Group Policy settings or delegate administrative authority.) in your directory to contain all AWS role-specific groups to be associated with AWS roles. For example, AWS Role Groups and AWS Entitlements.

  2. Using a standard syntax, create external directory-security groups for each role.

    Recommended syntax:

    aws#[account alias]#[role name]#[account #]

    Example:

    aws#northamerica-production#Tier1_Support#828416469395

    Also available is a regex expression to filter AWS related groups and extract accountid and role.

    Example:

    aws_(?{{accountid}}\d+)_(?{{role}}[a-zA-Z0-9+=,.@\-_]+)

If you use your own group syntax, make sure to include an account alias, role name, and account # with recognizable delimiters between each. You will also need to create a custom regex expression (see Create AWS role groups in an external directory).

Next steps

Top