ABAC的应用

Implementing ABAC in AWS with Tags

AWS's Attribute-Based Access Control (ABAC) leverages tags—a form of key-value pairs—for defining permissions, presenting a dynamic alternative to the static, resource-centric access policies traditionally used. Tags can be attached to both IAM entities, such as users or roles, and to AWS resources themselves, facilitating fine-tuned access control based on entity attributes.

Advantages of ABAC:

• Dynamic Permissions: ABAC adapts to organizational growth, reducing the need to revise policies for new resources or teams.

• Efficient Management: Utilizing tags streamlines the management of access permissions, sidestepping the cumbersome process of enumerating resources.

Deployment of ABAC:

To employ ABAC in AWS, you integrate tag-based conditions within your IAM policies. This strategy permits access determined by the tags associated with the principal (the user or role in question), rendering the management of permissions more agile and suited to the evolving demands of cloud infrastructures.

ABAC, with its focus on adaptability and ease of management, is ideally suited to the dynamic and scalable nature of AWS environments.

根据资源的标签tag进行授权

如果想要实现如果资源带有某个你指定的标签键值对，然后可以执行某些操作，您可以在 Condition 元素中使用：aws:ResourceTag/<tag key>: <tag value>

例如，以下示例策略允许用户或角色执行任何 AWS 组织操作，除非该资源具有关键字为department和值为security的标记。如果存在该键和值，则策略会明确拒绝 对没有指定标签的资源的 操作。

{
    "Version" : "2012-10-17",
    "Statement" : [
        {
            "Effect" : "Allow",
            "Action" : "organizations:*",
            "Resource" : "*"
            
        },
        {
            "Effect" : "Deny",
            "Action" : "organizations:UntagResource",
            "Resource" : "*",
            "Condition" : {
                "StringEquals" : {
                    "aws:ResourceTag/department" : "security"
                }
            }
        }
    ]
}

更多信息可以查看 Controlling access to resource and aws:ResourceTag in the IAM User Guide.

根据请求者的标签tag进行授权

如果你希望控制带有某个指定标签的请求者（IAM user/role），可以使用 aws:PrincipalTag/key-name 条件键来指定请求者principal必须附加的tag key和value。

下面的示例展示了如何仅当指定标签（成本中心）在调用操作的委托人和操作访问的资源上具有相同值时才允许执行操作。在此示例中，只有当 Amazon EC2 实例被标记为与用户相同的成本中心值时，调用用户才能启动和停止该实例。

{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Action": [
            "ec2:startInstances",
            "ec2:stopInstances"
        ],
        "Resource": "*",
        "Condition": {"StringEquals": 
            {"ec2:ResourceTag/cost-center": "${aws:PrincipalTag/cost-center}"}}
    }
}

更多信息查看 Controlling access for IAM principals and aws:PrincipalTag in the IAM User Guide.

下面的示例是只有存在成本中心这个标签才能执行操作：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": "organizations:CreateAccount",
            "Resource": "*",
            "Condition": {
                "Null": {
                    "aws:RequestTag/costcenter": "true"
                }
            }
        }
    ]
}

检查请求中作为参数包含的标记

有时候，会需要在创建资源的时候需要附加tag，因此，将tags作为请求的一部分。您可以指定一个 Condition 元素，使用 aws:TagKeys 根据请求中是否包含特定标记密钥或密钥集来允许或拒绝操作。

你可以使用 ForAllValues: 作为比较操作符的前缀，以确保请求中的所有键都必须与策略中指定的键之一相匹配。例如，以下示例策略只有在请求中存在指定的全部标签键值对时，才允许进行任何组织操作。

"Condition": {
"ForAllValues:StringEquals": {
"aws:TagKeys": [ "tag-key-1", "tag-key-2", ... , "tag-key-n" ]
}
}

或者你也可以使用 ForAnyValue:存在指定的任意一个标签键值对时，才允许进行任何组织操作。

{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Action": "organizations:*",
        "Resource": "*",
        "Condition": {
            "ForAnyValue:StringEquals": {
                "aws:TagKeys": [
                    "stage",
                    "region",
                    "domain"
                ]
            }
        }
    }
}

参考资料

[Docs] Attribute-based access control with tags and AWS Organizations

[Docs] What is ABAC