User Tools
Sidebar
aws:sso-abac
Table of Contents
AWS Single Sign-On ABAC
Prerequisites / Assumptions
- An external IdP (Azure AD, Okta, G-Suite) is already integrated and working with AWS SSO
- AWS SSO and permission sets are being used to access AWS accounts
- <TAGNAME> is IdP attribute name (Department)
- <TAGVALUE> is IdP attribute value (Marketing)
IdP
- Map IdP attribute to app (AWS SSO) attribute in the following format
https://aws.amazon.com/SAML/Attributes/AccessControl:<TAGNAME>
IdP with SCIM
- Verify in AWS SSO user list attribute was updated with desired value
IdP without SCIM
- Manually update attribute in AWS SSO user list
AWS SSO
- Enable
Settings - Identity Source - Attributes for access control - Create permission set that compares resource tag value to user attribute value with IAM policy condition
"Condition": { "StringEquals": { "ec2:ResourceTag/<TAGNAME>": "${aws:PrincipalTag/<TAGNAME>}" } }- For an AWS account apply the new permission set to a user / group
AWS SSO Optional
If you need a user attribute as a principal tag and can't update the IdP to to pass the attribute as an access control. You can add the key value mapping to the Attributes for access control. For this to work the attribute value must be show in the AWS SSO users information.
| Key | Value |
|---|---|
| Username | ${path:userName} |
Validate
- Use CloudTrail to search for the event name “AssumeRoleWithSAML”
- For an event, verify the user attribute name and value are passed as a SAML session tag (principalTags)
{ "requestParameters": { "principalTags": { "<TAGNAME>": "<TAGVALUE>" } } }
Reference Links
aws/sso-abac.txt · Last modified: 2022/07/21 10:41 by 127.0.0.1
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
