AWS IAM Identity Center ABAC Module

Usage

The following Terraform code will enable ABAC within your IAM Identity Center instance. You can adjust the attributes to suit your needs. If you, instead, wish to enable and configure attributes for access control using the IAM Identity Center console or IAM Identity Center API, you can follow this guide.

data "aws_ssoadmin_instances" "this" {}

locals {
  # Adjust to select the attributes for your ABAC configuration
  attributes = {
    "CostCenter"   = "$${path:enterprise.costCenter}"
    "Organization" = "$${path:enterprise.organization}"
    "Division"     = "$${path:enterprise.division}"
  }
}

resource "aws_ssoadmin_instance_access_control_attributes" "this" {
  instance_arn = tolist(data.aws_ssoadmin_instances.this.arns)[0]

  dynamic "attribute" {
    for_each = local.attributes
    content {
      key = attribute.key
      value {
        source = [attribute.value]
      }
    }
  }
}


module "aws_sso_abac" {
  source = "./modules/aws-sso-abac-access"

  permission_set_name    = "my-permission-set"
  principal_name         = "MyPrincipalName"
  principal_type         = "GROUP"
  aws_account_identifier = ["123456789012"] # change to your account number

  attributes          = local.attributes
  actions_readonly    = ["ec2:DescribeInstances"]
  actions_conditional = ["ec2:StartInstances", "ec2:StopInstances"]
}

Overview

From the AWS IAM Identity Center User Guide (link):

Attribute-based access control (ABAC) is an authorization strategy that defines permissions based on attributes. You can use IAM Identity Center to manage access to your AWS resources across multiple AWS accounts using user attributes that come from any IAM Identity Center identity source. In AWS, these attributes are called tags. Using user attributes as tags in AWS helps you simplify the process of creating fine-grained permissions in AWS and ensures that your workforce gets access only to the AWS resources with matching tags.

Requirements

Name	Version
terraform	>= 1.0
aws	5.58.0

Providers

Name	Version
aws	5.58.0

Modules

No modules.

Resources

Name	Type
aws_ssoadmin_account_assignment.this	resource
aws_ssoadmin_permission_set.this	resource
aws_ssoadmin_permission_set_inline_policy.this	resource
aws_iam_policy_document.this	data source
aws_identitystore_group.this	data source
aws_identitystore_user.this	data source
aws_ssoadmin_instances.this	data source
aws_ssoadmin_permission_set.this	data source

Inputs

Name	Description	Type	Default	Required
account_identifiers	A 10-12 digit string used to identify AWS accounts	`list(string)`	n/a	yes
actions_conditional	Actions allowed on a resource when the principal tags match the resource	`list(string)`	n/a	yes
actions_readonly	Actions allowed on a resource, regardless of what tags the principal has	`list(string)`	n/a	yes
attributes	A list of user attributes to use in policies to control access to resources	`map(string)`	`{}`	no
permission_set_desc	A description for the inline policy	`string`	`""`	no
permission_set_name	The name of the inline policy created for a single IAM identity	`string`	n/a	yes
principal_name	The name of the principal to assign the permission set to	`string`	`""`	no
principal_type	The entity type for which the assignment will be created	`string`	n/a	yes
resources_conditional	Resources users can perform actions on when the tags match	`list(string)`	[ "*"]	no
resources_readonly	Resources users are allowed to read-only	`list(string)`	[ "*"]	no
session_duration	Session Timeout for SSO	`string`	`"PT1H"`	no

Outputs

Name	Description
account_assignment	All account assignments made
permission_set_arn	The Amazon Resource Number (ARN) of the custom permission set
permission_set_created_date	The date the Permission Set was created in RFC3339 format
principal_id	The principal ID that has the custom permission set attached to it