Using predefined attributes from the AWS SSO identity store for access control in AWS

Each user in the AWS SSO Identity Store is assigned a unique UserId. You can view the UserId for your users using the AWS SSO console by navigating to each user or calling the DescribeUser API. AWS SSO allows you to use this UserId in permissions sets or resource based policies for making access control decisions in AWS. For example, the bucket policy below allows only the user with <UserId> s3:GetObject permission to mybucket. This permission allows the user to read the object data from mybucket.


{
  "Version":"2012-10-17",
  "Statement":[
    {
      
      "Effect":"Allow",
      "Principal": "*",
      "Action":["s3:GetObject","s3:GetObjectVersion"],
      "Resource":["arn:aws:s3:::mybucket/*"],
      "Condition": {
      "StringEquals": {
                    "identitystore:UserId": [
                        "<UserId>"
                    ]
                },
       "Null": {
                "identitystore:UserId": "false"
      }
    }
  ]
}

Warning Javascript is disabled or is unavailable in your browser.

To use the AWS Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Supported user and group attributes

Connect to your Microsoft AD directory