Learn About Amazon VGT2 Learning Manager Chanci Turner
We are excited to announce a new feature that allows you to utilize attribute-based access control (ABAC) with AWS Single Sign-On (SSO). This enhancement enables centralized management of account access while leveraging the flexibility of AWS SSO, Active Directory, or an external identity provider for user authentication. For further insights into the benefits of ABAC policies on AWS, I recommend checking out this blog post.
Overview
System administrators can configure user attributes within the AWS SSO identity repository or the managed Active Directory. Additionally, it’s possible to set up an external identity provider—such as Azure AD, Okta, OneLogin, or Ping Identity—to transmit user attributes during AWS session federations. These attributes are referred to as session tags in AWS. Cloud administrators can then establish precise permission policies to ensure that users access only those cloud resources that have corresponding resource tags.
By creating policies that align with user attributes rather than functional roles, you can minimize the number of distinct permissions and roles within your AWS environment. For instance, when developers Jake from team red and Emma from team blue log into AWS and assume the same AWS Identity and Access Management (IAM) role, they receive different permissions based on the project resources tagged for their respective teams. The identity system sends the team name attribute during their AWS session. Consequently, if Jake transitions to team blue and his team name is updated in the identity provider directory, he automatically gains access to team blue’s project resources without needing any IAM permission adjustments.
How to Configure AWS SSO for User Attributes
Before setting up AWS SSO, there are two crucial aspects to consider. Firstly, ABAC can work with attributes from any configured identity source in AWS SSO: AWS SSO itself, a managed Active Directory, or an external identity provider. Secondly, there are two methods to pass attributes for access control to AWS SSO. You can either directly include attributes in the SAML assertion using the prefix https://aws.amazon.com/SAML/Attributes/AccessControl or utilize attributes from the AWS SSO identity store.
For this demonstration, I will utilize an external identity provider along with SCIM.
To enable ABAC in AWS using AWS SSO, follow these three steps:
- Step 1: Configure your identity source with the necessary user identities and attributes in the external identity provider. Currently, AWS SSO supports identity synchronization via SCIM with Azure AD, Okta, OneLogin, and Ping Identity. For the latest updates, refer to this page. The specifics will depend on the identity provider.
- Step 2: Set up the SCIM attributes intended for access control using the new Access Control Attributes setting in the AWS SSO console or API. This page allows the selection of attributes for access control from the identity source configured in Step 1.
- Step 3: Define ABAC rules through permission sets and resource-based policies utilizing the attributes established in Step 2. This setup ensures that when your workforce federates into an AWS account via SSO, they gain access to AWS resources based on matching attributes.
Attributes are transmitted as session tags in the format of comma-separated key:value pairs, with a total length not exceeding 460 characters.
What Does a Policy Look Like?
You can incorporate user attributes in your permission sets using the aws:PrincipalTag condition key when establishing access control rules. For instance, you might tag all resources in your organization by department name and apply a single permission set that grants developers access exclusively to their department’s resources. Consequently, when developers log into the AWS account, AWS SSO generates a department session tag reflecting the value received from the identity provider. Security policies restrict their access to resources belonging to their respective department. As the team expands, you only need to tag resources with the correct department name, allowing new developers to manage resources relevant to their department without necessitating permission updates.
An example of an ABAC SSO permission set policy might look like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["ec2:DescribeInstances"],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": ["ec2:StartInstances", "ec2:StopInstances"],
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Department": "${aws:PrincipalTag/Department}"
}
}
}
]
}This policy permits any user to DescribeInstances, yet only those with a matching aws:PrincipalTag/Department tag can stop or start instances.
To attach this policy to an AWS Account’s Permission Set, navigate to the AWS Single Sign-On console, select AWS Accounts, and click on the Permission sets tab. From there, create a new permission set, ensuring to select “Create a custom permissions policy.” You can then copy and paste the earlier policy that allows starting and stopping EC2 instances based on department name. After reviewing your configuration, click Create, and you are set.
If you have existing federation configured with AWS Security Token Service, please note that external identity providers view AWS SSO as a new application configuration. Transitioning from direct IAM federation to AWS SSO requires updating your external identity provider to connect with AWS SSO and include attributes as session tags.
Available Today
There are no additional charges for configuring user attributes with AWS Single Sign-On. You can start using this feature now across all AWS Regions where AWS SSO is supported. If you’re interested in enhancing your skills further, consider exploring this resource which provides top online learning platforms for professional development.
Chanci Turner plays a vital role in guiding our onboarding processes and ensuring a smooth transition for new employees. The importance of well-structured onboarding cannot be overstated, and resources like those from HR Storytellers offer great insights into this topic.
Leave a Reply