By using AWS re:Post, you agree to the AWS re:Post Terms of Use

ABAC with IAM Identity Center users (no external idP)

0

The AWS Identity Center documentation describes how to do attribute mapping from Azure AD or other external idP. We want to keep our user db in Identity Center but there seems to be no documentation on mapping those attributes.

User tagging is unfortunately not supported (?) but we could probably get by with the User Type, Departement etc that is available in Identity Center if it was possible to map them.

Is there any way to use tagging on the Permission Set for ABAC? Can it be used for anything?

Has anyone succeeded?

Thanks Thomas

asked a month ago43 views
3 Answers
0
Accepted Answer

probably get by with the User Type, Departement etc that is available in Identity Center if it was possible to map them

Yes this is possible. I feel your pain here. I have no idea why this is made so hard. I got this working with userType. When configured, I could enter any value for the userType attribute and add that as a condition within an IAM policy. I then used the IAM policy as input to a permission set. At this point, when the user logs in they only get access to the policy actions for the specified value. Is this close to what you want?

And yes this was painful to get working.

Note: I wish I could add a couple of images here without having them on a website:-)

Steps

  1. Go to Identity center and find the Attributes for Access Control page. On that page add an attribute with userType for the key and ${path:userType} for the value. I recommend using what I specified here until you get it working.
  2. Go to your user and add mediajob for the User Type value.
  3. Next find your IAM policy and add a Request condition of awsPrincipalTag/userType = mediajob where mediajob is the actual value you specified in the User type value field for your user.
  4. Make the permission set with your policy. 5.Test it works and change the userType for a negative test.

Good luck. Hopefully I didn't goof when typing on my iPhone. Let me know how it worked.

answered a month ago
0

You're correct that the documentation primarily focuses on attribute mapping from external identity providers (IdPs) like Azure AD. However, it is possible to use Attribute-Based Access Control (ABAC) with IAM Identity Center users without an external IdP. Here's how you can approach this:

  1. Using IAM Identity Center as the identity source: When using IAM Identity Center as your identity source, you can indeed use the built-in attributes like User Type and Department for ABAC. While user tagging is not directly supported, these built-in attributes can serve a similar purpose for access control.

To use these attributes:

  • First, add users and configure their attributes in IAM Identity Center.
  • Then, go to the "Attributes for access control" page in the IAM Identity Center console.
  • Select the attributes you want to use for access control.
  • Finally, create or edit permission sets to use these attributes for ABAC.
  1. Permission Set tagging: Regarding tagging on Permission Sets, it is possible to add tags to Permission Sets. However, these tags are primarily used for resource organization and cost allocation, not for ABAC directly. The ABAC functionality in IAM Identity Center is focused on using user attributes to control access to AWS resources, rather than using tags on the Permission Sets themselves.

  2. Implementing ABAC: To implement ABAC using IAM Identity Center attributes:

  • Ensure your AWS resources are properly tagged to match the attributes you're using.
  • Create custom permissions policies in the IAM Identity Center console that use these attributes.
  • Assign users to these policies in AWS accounts based on their attributes.

While the documentation may not explicitly cover this scenario, the principles of ABAC still apply when using IAM Identity Center as your identity source. The key is to leverage the built-in attributes effectively in your permission policies.

It's worth noting that while this approach can work, using an external IdP or AWS Managed Microsoft AD often provides more flexibility in terms of attribute management and mapping. If you find the built-in attributes limiting, you might consider exploring these options in the future.

Remember to thoroughly test your ABAC implementation to ensure it's working as expected and providing the right level of access control for your users.

Sources
Attribute-based access control - AWS IAM Identity Center
Attributes for access control - AWS IAM Identity Center
Checklist: Configuring ABAC in AWS using IAM Identity Center - AWS IAM Identity Center
Manage identities in IAM Identity Center - AWS IAM Identity Center

profile picture
answered a month ago
profile picture
EXPERT
reviewed a month ago
  • This post still does not provide the "Value" field for the "Attributes for Access Control" config. Also the autocomplete for that field does not list UserType, Department etc. That is the crucial missing piece of information.

0

Hi Allen, Thanks for sharing your experience. I had actually done almost exactly the same (but with attribute name UserType, should not matter as long as the policy follows) but failed to make it work the first time around. Your post made me revisit and then success.

I wonder if there are some delays that make the testing difficult or if I made a mistake in the IAM policy. Anyway, here is an exact known good setup (note that I named the attribute UserType instead of userType):

Identity center - Attributes for Access Control

Example policy statement:

            {
              "Sid": "SampleAttributeConditionIdentityCenter",
              "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation",
                "s3:GetObject"
              ],
              "Resource": [
                "arn:aws:s3:::bucketname",
                "arn:aws:s3:::bucketname/*"
              ],
              "Effect": "Allow",
              "Condition": {
                "StringEquals": {
                  "aws:PrincipalTag/UserType": "Elevated"
                }
              }
            }

Next step is to combine with ec2:ResourceTag etc to achieve ABAC.

I hope the Identity Center documentation could actually document the attribute mapping values in the future.

answered a month ago
  • Re:

    I wonder if there are some delays that make the testing difficult or if I made a mistake in the IAM policy.

    I had the same issue/question. Think about this -- yes, I think there is a "delay." But not really. When you get a token it defines the privileges. The token is valid until it expires or you as admin revoke the session. The S3 API, which looks like you and I are both using, has a cache and doesn't keep asking the same question until it needs to.

    Since you are using "Elevated" as value there Re examples of how to do elevation with an MFA code. Haven't tried it but....

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions