Attribute-Based Access Control (ABAC) for AWS

When you base permissions on user attributes, you can ensure that developers and workloads have read and write access to only the resources that belong to their projects. If developers’ or workloads’ attributes match those of the project resources, the developers or workloads are allowed access. Otherwise, they are denied. For example, you can assign developers from two different teams, Alejandro and Mary, to the same IAM role, and then choose the team name attribute for access control. When Alejandro and Mary sign in to AWS, their identity provider (IdP) sends their team name as an attribute in the AWS session, and Alejandro and Mary are granted access to only their team’s project resources as indicated by the tags on those resources.

Mary and Alejandro also could be restricted to create IAM roles that have their respective team name set as a tag, so workloads they create on AWS can access only the resources that belong to their teams.

When you base permissions on attributes, you can control the level of access a user has to shared AWS resources. For example, by using the same IAM role, you can grant one developer, John, read-only access to an AWS Secrets Manager secret owned by another developer, Saanvi, on his same team because John’s team attribute is equal to the team tag on Saanvi’s secret. This is possible because their IAM role’s permissions are based on a team name attribute. The secret instance may be tagged as created by Saanvi, so she is granted full access to the secret.

Because entitlements are based on the human user’s attributes and not their role’s permissions, John and Saanvi might be granted the same level of access to that secret across different roles.

In addition to storing user credentials, your corporate directory stores user attributes such as cost center, department, and email address. You can configure your IdP to pass in user attributes from your corporate directory as tags in federated AWS sessions.

For example, you can leverage user attributes such as login and department to control access to your EC2 instances and Systems Manager Session Manager.

Your IdP also can include information about the user’s authorization context as attributes in AWS. This information can include elements such as whether the user used multi-factor authentication to authenticate to your IdP.

If you use AWS IAM Identity Center (successor to AWS SSO) to authenticate to your AWS accounts, you also can use ABAC whether or not your AWS SSO instance is connected to an external directory or used standalone.

You can use tags to manage and secure access to more types of IAM resources, such as customer managed IAM policies, Security Assertion Markup Language (SAML) providers, and IAM principals (users and roles). Administrators can assign tags to IAM resources to identify resource owners and grant fine-grained access to these resources at scale by using ABAC. For example, a developer can be blocked from creating, modifying, or attaching IAM policies if their attributes don’t match assigned tags.

Attributes are used as tags in AWS to help with the discovery, access, and cost allocation of resources. As a result, it is critical that every resource is tagged as part of its creation. Through ABAC, you can ensure that every new resource has the required set of tags applied when it is created. For example, you can require that when your developer Mateo creates a new secret with AWS Secrets Manager, he adds his project tag to the secret. Without this tag, Mateo is not allowed to create the new secret.