Attribute-based access control (ABAC) for AWS

What is attribute-based access control?

Attribute-based access control (ABAC) is an authorization strategy that lets you create fine-grained permissions based on user attributes, such as department, job role, and team name. User attributes make permissions more intuitive, and they simplify the administrative experience of managing access. By specifying permissions using attributes, you can reduce the number of distinct permissions that you need for creating fine-grained controls in your AWS account.

For example, instead of creating AWS Identity and Access Management (IAM) roles with distinct policies for every team or individual to ensure the right levels of access, you can use ABAC to group attributes to identify which resources a set of users can access. Then, as you add new users and resources, you can associate the appropriate attributes so that the right users have access to the right resources. It’s no longer necessary to update existing policies to allow new users to access resources. With attribute-based access controls, your authorization strategy can scale at the pace of your innovation.

Benefits

Simplify IAM role management

With ABAC, multiple users using the same IAM role can still get unique, fine-grained access because permissions are based on user attributes. You can define attributes in AWS, or you can pass user attributes from your existing identity provider (IdP) into AWS by using AWS Single Sign-On (AWS SSO), IAM, or Amazon Cognito. You than can author IAM policies to ensure that your users get access to only the AWS resources that have matching attributes. This approach helps you reduce the number of IAM roles you need for the use cases in your AWS account.

Apply fine-grained permissions as resources change

With ABAC, you grant access based on user attributes. You can use attributes you've assigned in AWS, or you can pass in attributes from your IdP and update user attributes in your IdP. Users with specific attributes can immediately access new resources that have matching attributes, which happens without you having to update users’ permissions.

Monitor actions that users have performed

When using ABAC, you can determine which identity is responsible for actions performed using IAM roles. For example, the IAM SourceIdentity attribute is logged in AWS CloudTrail for every action performed in AWS using an IAM role. With the SourceIdentity attribute set, you can connect the CloudTrail event with the identity of the user or application that performed the action. Even in the case of role chaining, where a user uses one IAM role to assume another IAM role, you can determine which identity performed which actions.

Fundamentals of ABAC for AWS

Access control confidence: Grant the right access to the right things (53:39)

Learn how to use ABAC to set fine-grained permissions that scale with your organization.

ABAC in AWS with AWS SSO and Okta Universal Directory (16:24)

Learn how to implement an ABAC model in AWS by using identity federation with Okta Universal Directory and AWS SSO.

Fine-grained access control with Amazon Cognito identity pools (20:20)

Learn how to implement fine-grained access control with Amazon Cognito identity pools, and watch a demo of using attributes from IdPs.

Use cases

Grant developers read and write access to only their project resources

When permissions are based on user attributes, you can ensure that developers have read and write access to only the resources that belong to their project. If their attribute matches that of the project resources, they are allowed access. Otherwise, they are denied. For example, you can assign developers from two different teams, Alejandro and Mary, to the same IAM role, and then choose the team name attribute for access control. When Alejandro and Mary sign in to the AWS account, the IdP sends their team name attributes in the AWS session, and Alejandro and Mary are granted access to only their team’s project resources. 

Ensure unique permissions when accessing shared resources

ABAC helps to ensure unique permissions by requiring you to create a minimum number of IAM roles in your AWS account. When permissions are based on user attributes, you can control the level of access a user has to a shared AWS resource. For example, using the same IAM role, you can grant developer John read-only access to an Amazon EC2 instance that developer Saanvi owns, and full access to Saanvi, as long as they are both on the same team. This is because the IAM role’s permissions are based on team name and created by attributes, and Saanvi’s created by attribute matches that of the Amazon EC2 instance, thus giving her full access to manage the instance.

Require developers to tag new resources they create

Attributes are used as tags in AWS to help with the discovery of resources, access, and cost allocation. As a result, it is critical that every resource is tagged as part of its creation. Through ABAC, you can ensure that every new resource has the required set of tags applied as it is created. For example, you can require that when your developer Mateo creates a new secret with AWS Secrets Manager, he adds his project tag to the secret. Without this tag, Mateo is not allowed to create the new secret.

Get started

Attribute based access controls scale with innovation. It's no longer necessary to update existing policies to allow access to new resources.