• An external IdP (Azure AD, Okta, G-Suite) is already integrated and working with AWS SSO
• AWS SSO and permission sets are being used to access AWS accounts
• <TAGNAME> is IdP attribute name (Department)
• <TAGVALUE> is IdP attribute value (Marketing)

• Map IdP attribute to app (AWS SSO) attribute in the following format

• https://aws.amazon.com/SAML/Attributes/AccessControl:<TAGNAME>

• Verify in AWS SSO user list attribute was updated with desired value

• Manually update attribute in AWS SSO user list

• Enable Settings - Identity Source - Attributes for access control
• Create permission set that compares resource tag value to user attribute value with IAM policy condition

• "Condition": {
      "StringEquals": {
          "ec2:ResourceTag/<TAGNAME>": "${aws:PrincipalTag/<TAGNAME>}"
      }
  }

• For an AWS account apply the new permission set to a user / group

If you need a user attribute as a principal tag and can't update the IdP to to pass the attribute as an access control. You can add the key value mapping to the Attributes for access control. For this to work the attribute value must be show in the AWS SSO users information.

• Use CloudTrail to search for the event name “AssumeRoleWithSAML”
• For an event, verify the user attribute name and value are passed as a SAML session tag (principalTags)

• {
      "requestParameters": {
          "principalTags": {
              "<TAGNAME>": "<TAGVALUE>"
          }
      }
  }

Reference Links

• https://docs.aws.amazon.com/singlesignon/latest/userguide/okta-idp.html
• https://docs.aws.amazon.com/singlesignon/latest/userguide/azure-ad-idp.html
• https://docs.aws.amazon.com/singlesignon/latest/userguide/configure-abac-policies.html
• https://docs.aws.amazon.com/singlesignon/latest/userguide/attributemappingsconcept.html