Use custom attributes for Attribute-Based Access Control (ABAC) with Microsoft Entra ID and AWS IAM Identity Center
Blog
This article explains how to use custom attributes from Microsoft Entra ID (formerly Azure AD) for attribute-based access control (ABAC) in AWS IAM Identity Center (formerly AWS SSO). It provides a solution to control access to AWS resources like Amazon EC2 instances based on custom attributes like project assignment and handover phase.
Specifically, the article covers:
- Overview of the solution using Microsoft Entra ID custom attributes as SAML claims
- Prerequisites like a configured Microsoft Entra ID tenant and AWS account
- Detailed walkthrough with steps to create groups, assign attributes, configure SAML claims, create IAM permission set, assign permissions, and test access
- Example scenarios demonstrating controlling EC2 access based on project assignment and handover phase
- Verifying custom attributes passed as session tags in AWS CloudTrail logs
- Cleanup steps to remove the test resources
The AWS News Feed is currently looking for gold sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.
Related articles
The AWS News Feed is currently looking for silver sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.