By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

ABAC conditional permissions

0

Hi,

I'm looking for an example of granting permissions based on tags for two different users- admins and team members. Besides access to team resources the admin would be able to administer the team's resources.

Rather than creating a separate role for each, I'd like to follow the ABAC model and conditionally provision permissions based on the user's function in a single policy. I could instead create multiple policies and attach them to a role that the users can assume but it seems cleaner to do it in one policy.

I think this is the correct approach and would expect it to be a common use case but I haven't found a policy example.

thanks, n.

Topics
Security, Identity, & Compliance
Tags
IAM Policies
Language
English
ntuple
asked 2 years ago199 views
1 Answer
0

The IAM docs have a decent walkthrough involving ABAC that meets your use-case. It leverages a single policy that is applied to multiple principals which have tags that define their access level and provides condition access only when the tags applied to the principal (user or role) match with tags associated with the resource (or passed in the request to create/modify) the resource. The caveat being that you must plan out your tagging strategy and apply tags to your resources and principals that can be evaluated during authorization.

Step 2 of the following tutorial shows an example of a policy that may be helpful for you. https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html

AWS
SUPPORT ENGINEER
Myke_R
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content