The following Terraform code will enable ABAC within your IAM Identity Center instance. You can adjust the attributes to suit your needs. If you, instead, wish to enable and configure attributes for access control using the IAM Identity Center console or IAM Identity Center API, you can follow this guide.
data "aws_ssoadmin_instances" "this" {}
locals {
# Adjust to select the attributes for your ABAC configuration
attributes = {
"CostCenter" = "$${path:enterprise.costCenter}"
"Organization" = "$${path:enterprise.organization}"
"Division" = "$${path:enterprise.division}"
}
}
resource "aws_ssoadmin_instance_access_control_attributes" "this" {
instance_arn = tolist(data.aws_ssoadmin_instances.this.arns)[0]
dynamic "attribute" {
for_each = local.attributes
content {
key = attribute.key
value {
source = [attribute.value]
}
}
}
}
module "aws_sso_abac" {
source = "./modules/aws-sso-abac-access"
permission_set_name = "my-permission-set"
principal_name = "MyPrincipalName"
principal_type = "GROUP"
aws_account_identifier = ["123456789012"] # change to your account number
attributes = local.attributes
actions_readonly = ["ec2:DescribeInstances"]
actions_conditional = ["ec2:StartInstances", "ec2:StopInstances"]
}From the AWS IAM Identity Center User Guide (link):
Attribute-based access control (ABAC) is an authorization strategy that defines permissions based on attributes. You can use IAM Identity Center to manage access to your AWS resources across multiple AWS accounts using user attributes that come from any IAM Identity Center identity source. In AWS, these attributes are called tags. Using user attributes as tags in AWS helps you simplify the process of creating fine-grained permissions in AWS and ensures that your workforce gets access only to the AWS resources with matching tags.
| Name | Version |
|---|---|
| terraform | >= 1.0 |
| aws | 5.58.0 |
| Name | Version |
|---|---|
| aws | 5.58.0 |
No modules.
| Name | Type |
|---|---|
| aws_ssoadmin_account_assignment.this | resource |
| aws_ssoadmin_permission_set.this | resource |
| aws_ssoadmin_permission_set_inline_policy.this | resource |
| aws_iam_policy_document.this | data source |
| aws_identitystore_group.this | data source |
| aws_identitystore_user.this | data source |
| aws_ssoadmin_instances.this | data source |
| aws_ssoadmin_permission_set.this | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| account_identifiers | A 10-12 digit string used to identify AWS accounts | list(string) |
n/a | yes |
| actions_conditional | Actions allowed on a resource when the principal tags match the resource | list(string) |
n/a | yes |
| actions_readonly | Actions allowed on a resource, regardless of what tags the principal has | list(string) |
n/a | yes |
| attributes | A list of user attributes to use in policies to control access to resources | map(string) |
{} |
no |
| permission_set_desc | A description for the inline policy | string |
"" |
no |
| permission_set_name | The name of the inline policy created for a single IAM identity | string |
n/a | yes |
| principal_name | The name of the principal to assign the permission set to | string |
"" |
no |
| principal_type | The entity type for which the assignment will be created | string |
n/a | yes |
| resources_conditional | Resources users can perform actions on when the tags match | list(string) |
[ |
no |
| resources_readonly | Resources users are allowed to read-only | list(string) |
[ |
no |
| session_duration | Session Timeout for SSO | string |
"PT1H" |
no |
| Name | Description |
|---|---|
| account_assignment | All account assignments made |
| permission_set_arn | The Amazon Resource Number (ARN) of the custom permission set |
| permission_set_created_date | The date the Permission Set was created in RFC3339 format |
| principal_id | The principal ID that has the custom permission set attached to it |