Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account

AWS::SSO::InstanceAccessControlAttributeConfiguration

RSS
Focus mode
AWS::SSO::InstanceAccessControlAttributeConfiguration - AWS CloudFormation
SyntaxPropertiesReturn valuesExamples
Filter View

Enables the attribute-based access control (ABAC) feature for the specified IAM Identity Center instance. You can also specify new attributes to add to your ABAC configuration during the enabling process. For more information about ABAC, see Attribute-Based Access Control in the IAM Identity Center User Guide.

Note

The InstanceAccessControlAttributeConfiguration property has been deprecated but is still supported for backwards compatibility purposes. We recommend that you use the AccessControlAttributes property instead.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{
  "Type" : "AWS::SSO::InstanceAccessControlAttributeConfiguration",
  "Properties" : {
      "AccessControlAttributes" : [ AccessControlAttribute, ... ],
      "InstanceArn" : String
    }
}

YAML

Type: AWS::SSO::InstanceAccessControlAttributeConfiguration
Properties:
  AccessControlAttributes: 
    - AccessControlAttribute
  InstanceArn: String

Properties

AccessControlAttributes

Lists the attributes that are configured for ABAC in the specified IAM Identity Center instance.

Required: No

Type: Array of AccessControlAttribute

Maximum: 50

Update requires: No interruption

InstanceArn

The ARN of the IAM Identity Center instance under which the operation will be executed.

Required: Yes

Type: String

Pattern: arn:(aws|aws-us-gov|aws-cn|aws-iso|aws-iso-b):sso:::instance/(sso)?ins-[a-zA-Z0-9-.]{16}

Minimum: 10

Maximum: 1224

Update requires: Replacement

Return values

Ref

Specifies the IAM Identity Center identity store attributes to add to your ABAC configuration. When using an external identity provider as an identity source, you can pass attributes through the SAML assertion. Doing so provides an alternative to configuring attributes from the IAM Identity Center identity store. If a SAML assertion passes any of these attributes, IAM Identity Center will replace the attribute value with the value from the IAM Identity Center identity store.

Examples

Enabling and configuring attributes used for access control in IAM Identity Center

The following example enables ABAC in IAM Identity Center and creates a new attribute key CostCenter that is mapped to the Value “${path:enterprise.costCenter}” which is coming from your identity source.

JSON

{
    "Resources": {
        "ABAC": {
            "Type": "AWS::SSO::InstanceAccessControlAttributeConfiguration",
            "Properties": {
                "InstanceArn": "arn:aws:sso:::instance/ssoins-instanceId",
                "AccessControlAttributes": [
                    {
                        "Key": "CostCenter",
                        "Value": {
                            "Source": [
                                "${path:enterprise.costCenter}"
                            ]
                        }
                    }
                ]
            }
        }
    }
}

YAML

Resources:
  ABAC:
    Type: 'AWS::SSO::InstanceAccessControlAttributeConfiguration'
    Properties:
      InstanceArn: 'arn:aws:sso:::instance/ssoins-instanceId'
      AccessControlAttributes:
        - Key: CostCenter
          Value:
            Source:
              - '${path:enterprise.costCenter}'

On this page

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.