Checklist: Configuring ABAC in Amazon using IAM Identity Center
This checklist includes the configuration tasks that are necessary to prepare your Amazon resources and to set up IAM Identity Center for ABAC access. Complete the tasks in this checklist in order. When a reference link takes you to a topic, return back to this topic so that you can proceed with the remaining tasks in this checklist.
Step | Task | Reference |
---|---|---|
1 | Review how to add tags to all your Amazon resources. To implement ABAC in IAM Identity Center, you'll first need to add tags to all your Amazon resources that you want to implement ABAC for. | |
2 | Review how to configure your identity source in IAM Identity Center with the associated user identities and attributes in your identity store. IAM Identity Center lets you use user attributes from any supported IAM Identity Center identity source for ABAC in Amazon. | |
3 | Based on the following criteria, determine which attributes you want to use for making access control decisions in Amazon and send them to IAM Identity Center. | |
|
||
|
||
|
||
|
||
4 |
Select the attributes to use for ABAC using the Attributes for access control page in the IAM Identity Center console. From this page you can select attributes for access control from the identity source that you configured in step 2. After your identities and their attributes are in IAM Identity Center, you must create key-value pairs (mappings) which will be passed to your Amazon Web Services accounts for use in access control decisions. |
|
5 |
Create custom permissions policies within your permission set
and use access control attributes to create ABAC rules so that
users can only access resources with matching tags. User
attributes that you configured in step 4 are used as tags in
Amazon for access control decisions. You can refer to the access
control attributes in the permissions policy using the
|
|
6 |
In your various Amazon Web Services accounts, assign users to permissions sets you created in step 5. Doing so ensures that when they federate into their accounts and access Amazon resources, they only get access based on matching tags. |
After you complete these steps, users who federate into an Amazon Web Services account using single sign-on will get access to their Amazon resources based on matching attributes.