Attribute-based access control - Amazon IAM Identity Center
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Attribute-based access control

Attribute-based access control (ABAC) is an authorization strategy that defines permissions based on attributes. You can use IAM Identity Center to manage access to your Amazon resources across multiple Amazon Web Services accounts using user attributes that come from any IAM Identity Center identity source. In Amazon, these attributes are called tags. Using user attributes as tags in Amazon helps you simplify the process of creating fine-grained permissions in Amazon and ensures that your workforce gets access only to the Amazon resources with matching tags.

For example, you can assign developers Bob and Sally, who are from two different teams, to the same permission set in IAM Identity Center and then select the team name attribute for access control. When Bob and Sally sign in to their Amazon Web Services accounts, IAM Identity Center sends their team name attribute in the Amazon session so Bob and Sally can access Amazon project resources only if their team name attribute matches the team name tag on the project resource. If Bob moves to Sally’s team in the future, you can modify his access by simply updating his team name attribute in the corporate directory. When Bob signs in next time, he will automatically get access to the project resources of his new team without requiring any permissions updates in Amazon.

This approach also helps in reducing the number of distinct permissions you need to create and manage in IAM Identity Center as users associated with the same permission sets can now have unique permissions based on their attributes. You can use these user attributes in IAM Identity Center permission sets and resource-based policies to implement ABAC to Amazon resources and simplify permissions management at scale.


The following are additional benefits of using ABAC in IAM Identity Center.

  • ABAC requires fewer permission sets – Because you don't have to create different policies for different job functions, you create fewer permission sets. This reduces your permissions management complexity.

  • Using ABAC, teams can change and grow quickly – Permissions for new resources are automatically granted based on attributes when resources are appropriately tagged upon creation.

  • Use employee attributes from your corporate directory with ABAC – You can use existing employee attributes from any identity source configured in IAM Identity Center to make access control decisions in Amazon.

  • Track who is accessing resources – Security administrators can easily determine the identity of a session by reviewing the user attributes in Amazon CloudTrail to track user activity in Amazon.

For information about how to configure ABAC using the IAM Identity Center console, see Attributes for access control. For information about how to enable and configure ABAC using the IAM Identity Center APIs, see CreateInstanceAccessControlAttributeConfiguration in the IAM Identity Center API Reference Guide.