Skip to content

Latest commit

 

History

History
140 lines (112 loc) · 7.78 KB

README.md

File metadata and controls

140 lines (112 loc) · 7.78 KB

AWS IAM Identity Center ABAC Module

Usage

The following Terraform code will enable ABAC within your IAM Identity Center instance. You can adjust the attributes to suit your needs. If you, instead, wish to enable and configure attributes for access control using the IAM Identity Center console or IAM Identity Center API, you can follow this guide.

data "aws_ssoadmin_instances" "this" {}

locals {
  # Adjust to select the attributes for your ABAC configuration
  attributes = {
    "CostCenter"   = "$${path:enterprise.costCenter}"
    "Organization" = "$${path:enterprise.organization}"
    "Division"     = "$${path:enterprise.division}"
  }
}

resource "aws_ssoadmin_instance_access_control_attributes" "this" {
  instance_arn = tolist(data.aws_ssoadmin_instances.this.arns)[0]

  dynamic "attribute" {
    for_each = local.attributes
    content {
      key = attribute.key
      value {
        source = [attribute.value]
      }
    }
  }
}


module "aws_sso_abac" {
  source = "./modules/aws-sso-abac-access"

  permission_set_name    = "my-permission-set"
  principal_name         = "MyPrincipalName"
  principal_type         = "GROUP"
  aws_account_identifier = ["123456789012"] # change to your account number

  attributes          = local.attributes
  actions_readonly    = ["ec2:DescribeInstances"]
  actions_conditional = ["ec2:StartInstances", "ec2:StopInstances"]
}

Overview

From the AWS IAM Identity Center User Guide (link):

Attribute-based access control (ABAC) is an authorization strategy that defines permissions based on attributes. You can use IAM Identity Center to manage access to your AWS resources across multiple AWS accounts using user attributes that come from any IAM Identity Center identity source. In AWS, these attributes are called tags. Using user attributes as tags in AWS helps you simplify the process of creating fine-grained permissions in AWS and ensures that your workforce gets access only to the AWS resources with matching tags.

Requirements

Name Version
terraform >= 1.0
aws 5.58.0

Providers

Name Version
aws 5.58.0

Modules

No modules.

Resources

Name Type
aws_ssoadmin_account_assignment.this resource
aws_ssoadmin_permission_set.this resource
aws_ssoadmin_permission_set_inline_policy.this resource
aws_iam_policy_document.this data source
aws_identitystore_group.this data source
aws_identitystore_user.this data source
aws_ssoadmin_instances.this data source
aws_ssoadmin_permission_set.this data source

Inputs

Name Description Type Default Required
account_identifiers A 10-12 digit string used to identify AWS accounts list(string) n/a yes
actions_conditional Actions allowed on a resource when the principal tags match the resource list(string) n/a yes
actions_readonly Actions allowed on a resource, regardless of what tags the principal has list(string) n/a yes
attributes A list of user attributes to use in policies to control access to resources map(string) {} no
permission_set_desc A description for the inline policy string "" no
permission_set_name The name of the inline policy created for a single IAM identity string n/a yes
principal_name The name of the principal to assign the permission set to string "" no
principal_type The entity type for which the assignment will be created string n/a yes
resources_conditional Resources users can perform actions on when the tags match list(string) 
[
  "*"
]
 no
resources_readonly Resources users are allowed to read-only list(string) 
[
  "*"
]
 no
session_duration Session Timeout for SSO string "PT1H" no

Outputs

Name Description
account_assignment All account assignments made
permission_set_arn The Amazon Resource Number (ARN) of the custom permission set
permission_set_created_date The date the Permission Set was created in RFC3339 format
principal_id The principal ID that has the custom permission set attached to it