How to create true attribute based access controls with IAM

Question

I want to be able to implement Attribute Based Access Controls on a complex data system.
To implement this, I want to use a dynamic verification ideally completely in IAM to preserve performance.
For example:
Person A has been given permissions to see objects with Green, Purple and Blue categories, but cannot see objects that have a Vehicle category.
Person B can see Purple and Vehicle but cannot see Green or Blue.
Object A is stored in the Vehicle category S3 and is also contains Blue data.

We initially looked at tags, but the customer currently manages thousands of tags and that equates to billions of potential tag combinations - and this number is always growing.

I am looking for a clean way to implement this access control that would meet these requirements.

Answer

ABAC in AWS is implemented using tags on service resources and IAM principals and then referencing these tags in conditions in IAM policies. You can find services that support ABAC here: [AWS services that work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html). From this doc:

```
ABAC (authorization based on tags) – To control access based on tags, you provide tag information in the condition element of a policy using the aws:ResourceTag/key-name, aws:RequestTag/key-name, or aws:TagKeys condition keys. If a service supports all three condition keys for every resource type, then the value is Yes for the service. If a service supports all three condition keys for only some resource types, then the value is Partial. 
```
[IAM tutorial: Define permissions to access AWS resources based on tags](https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html)

How to create true attribute based access controls with IAM

Relevant content