Posted On: Nov 25, 2019

Earlier today, AWS Identity and Access Management (IAM) enabled you to use your employees’ existing identity attributes such as cost center and department from your directory to create fine-grained permissions in AWS. Your administrators can use these employee attributes in AWS to implement attribute-based access control to AWS resources and simplify permissions management at scale.  

One way to grant your employees access to AWS resources is through identity federation. You can use a standards-compliant identity provider (IdP) to manage federated access for employees’ identities stored in your corporate directory. Customers told us they want to utilize identity attributes from their directory to simplify the administrative and end user experience for managing access for federated users. With this launch, your administrators can now configure your IdP to send employee attributes in the AWS session when employees federate into AWS. Using these attributes as tags in AWS, you can simplify creation of fine-grained permissions such that employees get access only to the AWS resources with matching tags. This helps to reduce the number of distinct permissions you need to create and manage in your AWS account. For example, when developers Bob from team red and Sally from team blue federate into AWS and assume the same IAM role, they get distinct permissions to project resources tagged for their team, only. This is because the IdP sends the team name attribute in the AWS session when Bob and Sally federate into AWS and the role’s permissions grant access to project resources with matching team name tags. Now if Bob moves to team blue and you update his team name in your directory, Bob automatically gets access to team blue’s project resources without requiring permissions updates in IAM. 

AWS identity partners Ping Identity, OneLogin, Okta, Auth0, Forgerock, IBM, and RSA have certified the end-to-end experience for this new capability with their identity solutions, and we look forward to additional partners certifying this capability. Please reach out to your standards-compliant identity provider for guidance. To learn more about how to connect your corporate identities to permissions rules in AWS, visit passing session tags in AWS session.