2.2.4. Attribute-Based Access Control (ABAC)
First Principle: Attribute-Based Access Control (ABAC) fundamentally grants permissions based on attributes (tags) associated with both the user/role and the resource, providing dynamic and scalable access control.
Attribute-Based Access Control (ABAC) is an authorization strategy that defines permissions based on attributes (tags) attached to AWS resources, IAM identities, and even the request itself. It is a more flexible and scalable alternative to traditional Role-Based Access Control (RBAC) for large, dynamic environments.
Key Concepts of ABAC:
- Attributes (Tags): Key-value pairs attached to IAM identities (e.g.,
Project: Finance,Department: HR) and AWS resources (e.g., an EC2 instance taggedProject: Finance). - Policy Evaluation: IAM policies evaluate these attributes in real-time when an API request is made.
- Dynamic Permissions: Permissions are granted dynamically based on matching attributes. This means you don't need to create a new IAM policy every time a new project or resource is added, as long as the tags follow your defined structure.
- Scalability: Highly scalable for large organizations with many resources and frequently changing teams/projects.
- Comparison to RBAC:
Scenario: A large organization has many development teams, each working on different projects. They want to grant developers access to EC2 instances and S3 buckets only if those resources are tagged with the same project name as the developer's assigned project. As new projects are added, permissions should automatically extend without manual IAM policy updates.
Reflection Question: How does Attribute-Based Access Control (ABAC), by dynamically granting permissions based on attributes (tags) associated with both the user/role and the resource, fundamentally provide a scalable and flexible access control model for large, dynamic organizations?