Checklist: Configuring ABAC in AWS using IAM Identity Center

This checklist includes the configuration tasks that are necessary to prepare your AWS resources and to set up IAM Identity Center for ABAC access. Complete the tasks in this checklist in order. When a reference link takes you to a topic, return back to this topic so that you can proceed with the remaining tasks in this checklist.

Step	Task	Reference
1	Review how to add tags to all your AWS resources. To implement ABAC in IAM Identity Center, you'll first need to add tags to all your AWS resources that you want to implement ABAC for.	Tagging AWS resources
2	Review how to configure your identity source in IAM Identity Center with the associated user identities and attributes in your identity store. IAM Identity Center lets you use user attributes from any supported IAM Identity Center identity source for ABAC in AWS.	Manage your identity source
3	Based on the following criteria, determine which attributes you want to use for making access control decisions in AWS and send them to IAM Identity Center.	Getting started
	If you are using an external identity provider (IdP), decide whether you want to use attributes passed from the IdP or select attributes from within IAM Identity Center.	Choosing attributes when using an external identity provider as your identity source
	If you choose to have your IdP send attributes, configure your IdP to transmit the attributes in SAML assertions. See the Optional sections in the tutorial for your specific IdP.	Getting started tutorials
	If you use an IdP as your identity source and choose to select attributes in IAM Identity Center, investigate how to configure SCIM so that the attribute values come from your IdP. If you cannot use SCIM with your IdP, add the users and their attributes using the IAM Identity Center console User page.	Automatic provisioning Supported external identity provider attributes
	If you use Active Directory or IAM Identity Center as your identity source, or you use an IdP and choose to select attributes in IAM Identity Center, review the available attributes that you can configure. Then jump immediately to step 4 to start configuring your ABAC attributes using the IAM Identity Center console.	Choosing attributes when using IAM Identity Center as your identity source Choosing attributes when using AWS Managed Microsoft AD as your identity source Default mappings
4	Select the attributes to use for ABAC using the Attributes for access control page in the IAM Identity Center console. From this page you can select attributes for access control from the identity source that you configured in step 2. After your identities and their attributes are in IAM Identity Center, you must create key-value pairs (mappings) which will be passed to your AWS accounts for use in access control decisions.	Enable and configure attributes for access control
5	Create custom permissions policies within your permission set and use access control attributes to create ABAC rules so that users can only access resources with matching tags. User attributes that you configured in step 4 are used as tags in AWS for access control decisions. You can refer to the access control attributes in the permissions policy using the aws:PrincipalTag/key condition.	Create permission policies for ABAC in IAM Identity Center
6	In your various AWS accounts, assign users to permissions sets you created in step 5. Doing so ensures that when they federate into their accounts and access AWS resources, they only get access based on matching tags.	Assign user access to AWS accounts

After you complete these steps, users who federate into an AWS account using single sign-on will get access to their AWS resources based on matching attributes.