Central administrators need scalable mechanisms to set granular permissions as their organizations grow. In this session, we discuss how to scale permissions management by relying on workforce and resource attributes. We introduce attribute-based access control (ABAC) and share how AWS enables you to author permission rules that scale with your organization to simplify permissions management. We share best practices for using tags to implement ABAC; we demonstrate how administrators can create policies and govern tags to grant developers access to AWS resources in their projects; and we show how permissions automatically apply as developers add resources to their projects. It is assumed that attendees are familiar with AWS permissions.

1. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Scale permissions management in AWS with
attribute-based access control
Brigid Johnson
Senior Manager, AWS Identity
AWS
S D D 3 5 0 - R

2. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
Permissions review
Introducing attribute-based access control (ABAC) in AWS
Applying ABAC in your organization
ABAC best practices

3. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

4. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Purpose of permissions in your organization
Business to innovate
Agility to move fast
Give builders freedom
Prevent dangerous actions
Accountable security posture
Cost-effective solutions
Goal Ensure

5. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Specify who can access what
Workforce users Permissions Resources
AWS account
AWS account
AWS account

6. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Two parts to permissions
AWS’s job: Enforcement
For each request, the service or application evaluates the
permissions that you defined to allow or deny access
Your job: Specification
Define which entities are allowed to perform which actions on
specific resources and under which conditions

7. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Role-based access control (RBAC)
Workforce users Permissions Resources

8. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Benefits of RBAC with AWS
Grant users specific permissions by assigning a collection of roles
Create a distinct role for each unique permission combination
Update permissions by adding access for each new resource
Determine access by auditing specific role permissions

9. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

10. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Use attributes to create general
permissions rules that scale with
your organization
Attribute-
Based
Access
Control

11. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
A little bit about attributes
Attributes are a key or a key and value pair
They are pre-defined by a provider or they are custom
UserID = AlienFriend
Team = Unicorns
Project = Pickles
Project = Pickles
Env = Development
CreatedBy = AlienFriend
Examples

12. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
A scalablepermissions model based on attributes
Workforce users Permissions Resources

13. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Permissions scale with innovation, enabling
developers to build
Teams move fast, as permissions
automatically apply based on attributes
Granular permissions are possible without
requiring a permissions update for every
new user or resource
Audit attributes are available to determine
access
Benefits of ABAC

14. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Examples of attribute-based permissions
Grant developers read and write access to their project resources
Require developers to assign their project to new resources
Grant developers read access to resources that are common to their
team
Manage only the resources that I own

15. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

16. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Steps to applying ABAC in your organization

17. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Demonstration Setup
Team Pickles Team Bubbles
AWS Secrets Manager
Easily rotate, manage, and
retrieve database credentials,
API keys, and other secrets
through their lifecycle

18. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Identities with access control attributes
Demo Steps
Required Resource Attributes
project costcenter
project costcenter

19. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Require attributes for new resources
Demo Steps
project
costcenter
stage createdBy
application
Required Resource Attributes
• project
• costcenter

20. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Permission policy to require attributes on new secrets
{
"Version": "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Action": [
"secretsmanager:CreateSecret" ],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestTag/project": "${aws:PrincipalTag/project}",
"aws:RequestTag/costcenter": "${aws:PrincipalTag/costcenter}" },
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"project",
"createdby",
"costcenter",
"application" ] } } } ] }
Allows project with these
keys, but nothing else
Requires project and
costcenter tags and must
be this value

21. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Set permissions based on attributes
Permissions rules
Demo steps

22. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Permission policy to manage secrets using tags
{
"Effect": "Allow",
"Action": [ "secretsmanager:GetResourcePolicy",
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret",
"secretsmanager:RestoreSecret",
"secretsmanager:PutSecretValue",
"secretsmanager:UpdateSecretVersionStage",
"secretsmanager:DeleteSecret",
"secretsmanager:RotateSecret",
"secretsmanager:CancelRotateSecret",
"secretsmanager:ListSecretVersionIds",
"secretsmanager:UpdateSecret" ],
"Resource": "*",
"Condition": {
"StringEquals": {
"secretsmanager:ResourceTag/project": "${aws:PrincipalTag/project}"
} } } ] }
Only manage resources
with these tags

23. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Permission policy to manage secrets using tags
"Effect": "Allow",
"Action": ["secretsmanager:TagResource"],
"Resource": "*",
"Condition": {
"StringEquals": {
"secretsmanager:ResourceTag/project": "${aws:PrincipalTag/project}"},
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"project",
“createdBy",
"application",
"costcenter" ] },
"StringEqualsIfExists": {
"aws:RequestTag/project": ["${aws:PrincipalTag/project}"],
"aws:RequestTag/costcenter": [ "${aws:PrincipalTag/costcenter}"]}}},
Only tag resources with
these tags
Tag with either of these
keys
For project, you specify
only these values

24. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Permission policy to manage secrets using tags
"Effect": "Allow",
"Action": [
"secretsmanager:UntagResource" ],
"Resource": "*",
"Condition": {
"StringEquals": {
"secretsmanager:ResourceTag/project": "${aws:PrincipalTag/project}" },
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"application" ] } } } ] }
Only change tags of your
project

25. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Create new resources and demonstrate permissions
Demo Steps

26. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

27. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Five ABAC best practices to take back with you
1. Reserve a subset of attributes used for access control
2. Only approved entities can set or modify attributes

28. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Five ABAC best practices to take back with you
3. Tag everything during creation so that permissions apply immediately
4. Rely on attributes to grant permissions to manage resources
5. Periodically audit to ensure that resources are tagged appropriately

29. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Additional resources
Service-specific permissions documentation
A central location of services, actions, resource-level permissions, and conditions supported across AWS
Actions, Resources, and Condition Keys for AWS Services:
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_actions-resources-
contextkeys.html
Become a policy master in 60 minutes or less
A review of IAM policy techniques and demonstrations on how to using them; it includes different
examples for ABAC
Video link: https://youtu.be/YQsK4MtsELU
Working backward: From IAM policies and principal tags to standardized names and tags for your AWS
resources
A blog post about implementing ABAC: AWS Security Blog post
@AWSIdentity

30. Thank you!
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.