Attribute-Based Access Control via Session Tags


Attribute-Based Access Control via Session Tags

Attribute-based access control (ABAC) is a strategy for managing access to your AWS resources at scale. With this strategy, you define permissions for attributes instead of roles. When you add a new resource, simply tag it with the relevant attributes and any users or roles with the matching attributes automatically have the correct levels of access. You rarely have to update your policies, and adding new users and resources is easy.

Session tags are the key to attribute-based access control. Session tags pass in attributes when you federate into an AWS account from Kion using a cloud access role. Specific permissions can be assigned to these attributes in AWS, enabling granular permission control that isn’t reliant on granular roles.

For example, let’s say you have a developer with permission to start, stop, and terminate EC2 instances. If you were to tag the cloud access role they use with Department:Engineering, they would only be able to start, stop, and terminate EC2 instances with that same tag. This means that in a shared services account, they couldn’t accidentally shut down a DevOps instance (assuming that this resource would be tagged with Department:DevOps).

For information about adding session tags to cloud access roles, see Add a User Cloud Access Role.

Custom Session Tags

In addition to the tags on your cloud access roles, if your SAML identity provider supports session tags, Kion automatically includes any attributes defined in your user directory as well.

If you add user attributes from your identity provider to the above example, you could add the Department:Engineering tag directly to the user instead of the cloud access role. In this case, no matter what cloud access role they use in Kion, this user will always have that session tag and will always only have access to resources with a matching tag.

For information about using custom session tags, see Custom SAML Session Tags for AWS.