# Attributes for access control **Attributes for access control** is the name of the page in the IAM Identity Center console where you select user attributes that you want to use in policies to control access to resources. You can assign users to workloads in Amazon based on existing attributes in the users' identity source. For example, suppose you want to assign access to S3 buckets based on department names. While on the **Attributes for access control** page, you select the **Department** user attribute for use with attribute-based access control (ABAC). In the IAM Identity Center permission set, you then write a policy that grants users access only when the **Department** attribute matches the department tag that you assigned to your S3 buckets. IAM Identity Center passes the user's department attribute to the account being accessed. The attribute is then used to determine access based on the policy. For more information about ABAC, see [Attribute-based access control](abac.md). ## Getting started How you get started configuring attributes for access control depends on which identity source you are using. Regardless of the identity source you choose, after you have selected your attributes you need to create or edit permission set policies. These policies must grant user identities access to Amazon resources. ### Choosing attributes when using IAM Identity Center as your identity source When you configure IAM Identity Center as the identity source, you first add users and configure their attributes. Next, navigate to the **Attributes for access control** page and select the attributes you want to use in policies. Finally, navigate to the **Amazon Web Services accounts** page to create or edit permission sets to use the attributes for ABAC. ### Choosing attributes when using Amazon Managed Microsoft AD as your identity source When you configure IAM Identity Center with Amazon Managed Microsoft AD as your identity source, you first map a set of attributes from Active Directory to user attributes in IAM Identity Center. Next, navigate to the **Attributes for access control** page. Then choose which attributes to use in your ABAC configuration based on the existing set of SSO attributes mapped from Active Directory. Finally, author ABAC rules using the access control attributes in permission sets to grant user identities access to Amazon resources. For a list of the default mappings for user attributes in IAM Identity Center to the user attributes in your Amazon Managed Microsoft AD directory, see [Default mappings between IAM Identity Center and Microsoft AD](attributemappingsconcept.md#defaultattributemappings). ### Choosing attributes when using an external identity provider as your identity source When you configure IAM Identity Center with an external identity provider (IdP) as your identity source, there are two ways to use attributes for ABAC. + You can configure your IdP to send the attributes through SAML assertions. In this case, IAM Identity Center passes the attribute name and value from the IdP through for policy evaluation. **Note** Attributes in SAML assertions will not be visible to you on the **Attributes for access control** page. You will have to know these attributes in advance and add them to access control rules when you author policies. If you decide to trust your external IdPs for attributes, then these attributes will always be passed when users federate into Amazon Web Services accounts. In scenarios where the same attributes are coming to IAM Identity Center through SAML and SCIM, the SCIM attributes value take precedence in access control decisions. + You can configure which attributes you use from the **Attributes for access control** page in the IAM Identity Center console. The attributes values that you choose here replace the values for any matching attributes that come from an IdP through an assertion. Depending on whether you are using SCIM, consider the following: + If using SCIM, the IdP automatically synchronizes the attribute values into IAM Identity Center. Additional attributes that are required for access control might not be present in the list of SCIM attributes. In that case, consider collaborating with the IT admin in your IdP to send such attributes to IAM Identity Center via SAML assertions using the required `https://aws.amazon.com/SAML/Attributes/AccessControl:` prefix. For information about how to configure user attributes for access control in your IdP to send through SAML assertions, see the [IAM Identity Center identity source tutorials](tutorials.md) for your IdP. + If you are not using SCIM, you must manually add the users and set their attributes just as if you were using IAM Identity Center as an identity source. Next, navigate to the **Attributes for access control** page and choose the attributes you want to use in policies. For a complete list of supported attributes for user attributes in IAM Identity Center to the user attributes in your external IdPs, see [Supported external identity provider attributes](attributemappingsconcept.md#supportedidpattributes). To get started with ABAC in IAM Identity Center, see the following topics. **Topics** + [ ## Getting started ](#abac-getting-started) + [ # Enable and configure attributes for access control ](configure-abac.md) + [ # Create permission policies for ABAC in IAM Identity Center ](configure-abac-policies.md) # Enable and configure attributes for access control To use attribute-based access control (ABAC), you must first enable it in either the **Settings** page of the IAM Identity Center console or the [IAM Identity Center API](https://docs.amazonaws.cn//singlesignon/latest/APIReference/API_CreateInstanceAccessControlAttributeConfiguration.html). Regardless of the identity source, you can always configure user attributes from the Identity Store for use in ABAC. In the console, you can do this by navigating to the **Attributes for access control** tab on the **Settings** page. If you use an external identity provider (IdP) as the identity source, you also have the option of receiving attributes from the external IdP in SAML assertions. In this case, you need to configure the external IdP to send the desired attributes. If an attribute from a SAML assertion is also defined as an ABAC attribute in IAM Identity Center, IAM Identity Center will send the value from its Identity Store as a [session tag](https://docs.amazonaws.cn//IAM/latest/UserGuide/id_session-tags.html) on sign-in to an Amazon Web Services account. **Note** You cannot view attributes configured and sent by an external IdP from the **Attributes for access control** page in the IAM Identity Center console. If you are passing access control attributes in the SAML assertions from your external IdP, then those attributes are directly sent to the Amazon Web Services account when users federate in. The attributes won’t be available in IAM Identity Center for mapping. **Topics** + [ # Enable attributes for access control ](enable-abac.md) + [ # Select your attributes for access control ](configure-abac-attributes.md) + [ # Disable attributes for access control ](disable-abac.md) # Enable attributes for access control Use the following procedure to enable the attributes for access (ABAC) control feature using the IAM Identity Center console. **Note** If you have existing permission sets and you plan to enable ABAC in your IAM Identity Center instance, additional security restrictions require you to first have the `iam:UpdateAssumeRolePolicy` policy. These additional security restrictions are not required if you do not have any permission sets created in your account. If your IAM Identity Center instance was created before December 2020 and you plan to enable ABAC in it, you must have the `iam:UpdateAssumeRolePolicy` policy associated with the IAM Identity Center administrative role, regardless of whether you have permission sets created in your account. **To enable Attributes for access control** 1. Open the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon). 1. Choose **Settings** 1. On the **Settings** page, locate the **Attributes for access control** information box, and then choose **Enable**. Continue to the next procedure to configure it. # Select your attributes for access control Use the following procedure to set up attributes for your ABAC configuration. **To select your attributes using the IAM Identity Center console** 1. Open the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon). 1. Choose **Settings** 1. On the **Settings** page, choose the **Attributes for access control** tab, and then choose **Manage attributes**. 1. On the **Attributes for access control** page, choose **Add attribute** and enter the **Key** and **Value** details. This is where you will be mapping the attribute coming from your identity source to an attribute that IAM Identity Center passes as a session tag. ![\[Key value details in the IAM Identity Center console.\]](http://docs.amazonaws.cn/en_us/singlesignon/latest/userguide/images/abac_key_value.png) **Key** represents the name you are giving to the attribute for use in policies. This can be any arbitrary name, but you need to specify that exact name in the policies you author for access control. For example, lets say that you are using Okta (an external IdP) as your identity source and need to pass your organization's cost center data along as session tags. In **Key**, you would enter a similarly matched name like **CostCenter** as your key name. It's important to note that whichever name you choose here, it must also be named exactly the same in your `aws:PrincipalTag condition key` (that is, `"ec2:ResourceTag/CostCenter": "${aws:PrincipalTag/CostCenter}"`). **Note** Use a single-value attribute for your key, for example, **Manager**. IAM Identity Center doesn't support multi-value attributes for ABAC, for example, **Manager, IT Systems**. **Value** represents the content of the attribute coming from your configured identity source. Here you can enter any value from the appropriate identity source table listed in [Attribute mappings between IAM Identity Center and External Identity Providers directory](attributemappingsconcept.md). For example, using the context provided in the above mentioned example, you would review the list of supported IdP attributes and determine that the closest match of a supported attribute would be **`${path:enterprise.costCenter}`** and you would then enter it in the **Value** field. See the screenshot provided above for reference. Note, that you can’t use external IdP attribute values outside of this list for ABAC unless you use the option of passing attributes through the SAML assertion. 1. Choose **Save changes**. Now that you have configured mapping your access control attributes, you need to complete the ABAC configuration process. To do this, create your ABAC rules and add them to your permission sets and/or resource-based policies. This is required so that you can grant user identities access to Amazon resources. For more information, see [Create permission policies for ABAC in IAM Identity Center](configure-abac-policies.md). # Disable attributes for access control Use the following procedure to disable the ABAC feature and delete all of the attribute mappings that have been configured. **To disable Attributes for access control** 1. Open the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon). 1. Choose **Settings**. 1. On the **Settings** page, choose the **Attributes for access control** tab, and then choose **Manage attributes**. 1. On the **Manage attributes for access control** page, choose **Disable**. 1. In the **Disable attributes for access control** dialog window, review the information and when ready enter **DISABLE**, and then choose **Confirm**. **Important** This step deletes all attributes and stops the use of attributes for access control when federating into Amazon Web Services accounts regardless of whether any attributes are present in SAML assertions from an external identity source provider. # Create permission policies for ABAC in IAM Identity Center Create permission policies for ABAC You can create permissions policies that determine who can access your Amazon resources based on the configured attribute value. When you enable ABAC and specify attributes, IAM Identity Center passes the attribute value of the authenticated user into IAM for use in policy evaluation. ## aws:PrincipalTag condition key You can use access control attributes in your permission sets using the `aws:PrincipalTag` condition key for creating access control rules. For example, in the following policy you can tag all the resources in your organization with their respective cost centers. You can also use a single permission set that grants developers access to their cost center resources. Now, whenever developers federate into the account using single sign-on and their cost center attribute, they only get access to the resources in their respective cost centers. As the team adds more developers and resources to their project, you only have to tag resources with the correct cost center. Then you pass cost center information in the Amazon session when developers federate into Amazon Web Services accounts. As a result, as the organization adds new resources and developers to the cost center, developers can manage resources aligned to their cost centers without needing any permission updates. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeInstances" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:StartInstances", "ec2:StopInstances" ], "Resource": "*", "Condition": { "StringEquals": { "ec2:ResourceTag/CostCenter": "${aws:PrincipalTag/CostCenter}" } } } ] } ``` ------ For more information, see [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-principaltag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-principaltag) and [EC2: Start or stop instances based on matching principal and resource tags](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_ec2-start-stop-match-tags.html) in the *IAM User Guide*. If policies contain invalid attributes in their conditions, then the policy condition will fail and access will be denied. For more information, see [Error 'An unexpected error has occurred' when a user tries to sign in using an external identity provider](troubleshooting.md#issue8).