ABAC conditional permissions

Question

Hi,

I'm looking for an example of granting permissions based on tags for two different users- admins and team members. Besides access to team resources the admin would be able to administer the team's resources.

Rather than creating a separate role for each, I'd like to follow the ABAC model and conditionally provision permissions based on the user's function in a single policy. I could instead create multiple policies and attach them to a role that the users can assume but it seems cleaner to do it in one policy.

I think this is the correct approach and would expect it to be a common use case but I haven't found a policy example.

thanks,
n.

Answer

The IAM docs have a decent walkthrough involving ABAC that meets your use-case. It leverages a single policy that is applied to multiple principals which have tags that define their access level and provides condition access only when the tags applied to the principal (user or role) match with tags associated with the resource (or passed in the request to create/modify) the resource. The caveat being that you must plan out your tagging strategy and apply tags to your resources and principals that can be evaluated during authorization.

Step 2 of the following tutorial shows an example of a policy that may be helpful for you. https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html

Step 2 of the following tutorial shows an example of a policy that may be helpful for you. 
https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html

ABAC conditional permissions

関連するコンテンツ