Scale your Secrets Manager approval requirements using ABAC and IAM Identity Center

With AWS Secrets Manager, you can securely store, manage, retrieve, and rotate the secrets required for your applications and services running on AWS. A secret can be a password, API key, OAuth token, or other type of credential used for authentication purposes. You can control access to secrets in Secrets Manager by using AWS Identity and Access Management (IAM) permission policies. In this blog post, I will show you how to use principles of attribute-based access control (ABAC) to define dynamic IAM permission policies in AWS IAM Identity Center (successor to AWS Single Sign-On) by using user attributes from an external identity provider (IdP) and resource tags in Secrets Manager.

 <h2>What is ABAC and why use it?</h2> <p>Attribute-based access control (ABAC) is an authorization strategy that defines permissions based on attributes or characteristics of the user, the data, or the environment, such as the department, business unit, or other factors that could affect the authorization outcome. In the AWS Cloud, these attributes are called <em>tags</em>. By assigning user attributes as <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_iam-tags.html" target="_blank" rel="noopener">principal tags</a>, you can simplify the process of creating fine-grained permissions on AWS.</p> <p>With ABAC, you can use attributes to build more dynamic policies that provide access based on matching attribute conditions. ABAC rules are evaluated dynamically at runtime, which means that the users’ access to applications and data and the type of allowed operations automatically change based on the contextual factors in the policy. For example, if a user changes department, access is automatically adjusted without the need to update permissions or request new roles. You can use ABAC in conjunction with <a href="https://docs.aws.amazon.com/prescriptive-guidance/latest/saas-multitenant-api-access-authorization/access-control-types.html" target="_blank" rel="noopener">role-based access control (RBAC)</a> to combine the ease of policy administration with flexible policy specification and dynamic decision-making capability to enforce least privilege.</p> <p><a href="https://aws.amazon.com/iam/identity-center/" target="_blank" rel="noopener">AWS IAM Identity Center</a> (successor to AWS Single Sign-On) expands the capabilities of IAM to provide a central place that brings together the administration of users and their access to AWS accounts and cloud applications. With IAM Identity Center, you can define user permissions and manage access to accounts and applications in your <a href="https://aws.amazon.com/organizations/" target="_blank" rel="noopener">AWS Organizations</a> organization centrally. You can also create ABAC permission policies in a central place. ABAC will work with attributes from a supported identity source in IAM Identity Center. For a list of supported external IdPs for identity synchronization through the System for Cross-domain Identity Management (SCIM) and Security Assertion Markup Language (SAML) 2.0, see <a href="https://docs.aws.amazon.com/singlesignon/latest/userguide/supported-idps.html" target="_blank" rel="noopener">Supported identity providers</a>.</p> <p>The following are key benefits of using ABAC with IAM Identity Center and Secrets Manager:</p> <ol> <li><strong>Fewer permission sets</strong> — With ABAC, multiple users who use the same IAM Identity Center permission set and the same IAM role can still get unique permissions, because permissions are now based on user attributes. Administrators can author IAM policies that grant users access only to secrets that have matching attributes. This helps reduce the number of distinct permissions that you need to create and manage in IAM Identity Center and, in turn, reduces your permission management complexity.</li> <li><strong>Teams can change and grow quickly</strong> — When you create new secrets, you can apply the appropriate tags, which will automatically grant access without requiring you to update the permission policies.</li> <li><strong>Use employee attributes from your corporate directory to define access</strong> — You can use existing employee attributes from a supported identity source configured in IAM Identity Center to make access control decisions on AWS.</li> </ol> <p>Figure 1 shows a framework to control access to Secrets Manager secrets using IAM Identity Center and ABAC principles.</p> <div id="attachment_29145" class="wp-caption aligncenter"> <img aria-describedby="caption-attachment-29145" src="https://www.infracom.com.sg/wp-content/uploads/2023/04/img1-3.png" alt="Figure 1: ABAC framework to control access to secrets using IAM Identity Center" width="760" class="size-full wp-image-29145"> <p id="caption-attachment-29145" class="wp-caption-text">Figure 1: ABAC framework to control access to secrets using IAM Identity Center</p> </div> <p>The following is a brief introduction to the basic components of the framework:</p> <ol> <li><a href="https://docs.aws.amazon.com/singlesignon/latest/userguide/get-started-choose-identity-source.html" target="_blank" rel="noopener"><strong>User attribute source or identity source</strong></a> — This is where your users and groups are administered. You can configure a supported identity source with IAM Identity Center. You can then define and manage supported user attributes in the identity source.</li> <li><strong>Policy management</strong> — You can create and maintain policy definitions (<a href="https://docs.aws.amazon.com/singlesignon/latest/userguide/permissionsetsconcept.html" target="_blank" rel="noopener">permission sets</a>) centrally in IAM Identity Center. You can assign access to a user or group to one or more accounts in IAM Identity Center with these permission sets. You can then use attributes defined in your identity source to build ABAC policies for managing access to secrets.</li> <li><strong>Policy evaluation</strong> — When you assign a permission set, IAM Identity Center creates corresponding IAM Identity Center-controlled IAM roles in each account, and attaches the policies specified in the permission set to those roles. IAM Identity Center manages the role, and allows the authorized users that you’ve defined to assume the role. When users try to access a secret, IAM dynamically evaluates ABAC policies on the target account to determine access based on the attributes assigned to the user and resource tags assigned to that secret.</li> </ol> <h2>How to configure ABAC with IAM Identity Center</h2> <p>To configure ABAC with IAM Identity Center, you need to complete the following high-level steps. I will walk you through these steps in detail later in this post.</p> <ol> <li>Identify and set up identities that are created and managed in the identity source with user attributes, such as project, team, AppID or department.</li> <li>In IAM Identity Center, enable <strong>Attributes for access control</strong> and configure select attributes (such as department) to use for access control. For a list of supported attributes, see <a href="https://docs.aws.amazon.com/singlesignon/latest/userguide/attributemappingsconcept.html#supportedidpattributes" target="_blank" rel="noopener">Supported external identity provider attributes</a>.</li> <li>If you are using an external IdP and choose to use custom attributes from your IdP for access controls, configure your IdP to send the attributes through SAML assertions to IAM Identity Center.</li> <li>Assign appropriate tags to secrets in Secrets Manager.</li> <li>Create permission sets based on attributes added to identities and resource tags.</li> <li>Define guardrails to enforce access using ABAC.</li> </ol> <h2>ABAC enforcement and governance</h2> <p>Because an ABAC authorization model is based on tags, you must have a tagging strategy for your resources. To help prevent unintended access, you need to make sure that tagging is enforced and that a governance model is in place to protect the tags from unauthorized updates. By using <a href="https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html?icmpid=docs_orgs_console" target="_blank" rel="noopener">service control policies (SCPs)</a> and AWS Organizations <a href="https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html" target="_blank" rel="noopener">tag policies</a>, you can enforce tagging and tag governance on resources.</p> <p>When you implement ABAC for your secrets, consider the following guidance for establishing a tagging strategy:</p> <ul> <li>During secret creation, secrets must have an ABAC tag applied (tag-on-create).</li> <li>During secret creation, the provided ABAC tag key must be the same case as the principal’s ABAC tag key.</li> <li>After secret creation, the ABAC tag cannot be modified or deleted.</li> <li>Only authorized principals can do tagging operations on secrets.</li> <li>You enforce the permissions that give access to secrets through tags.</li> </ul> <p>For more information on tag strategy, enforcement, and governance, see the following resources:</p> <h2>Solution overview</h2> <p>In this post, I will walk you through the steps to enable the IdP that is supported by IAM Identity Center.</p> <div id="attachment_29146" class="wp-caption aligncenter"> <img aria-describedby="caption-attachment-29146" src="https://www.infracom.com.sg/wp-content/uploads/2023/04/img2-3.png" alt="Figure 2: Sample solution implementation" width="760" class="size-full wp-image-29146"> <p id="caption-attachment-29146" class="wp-caption-text">Figure 2: Sample solution implementation</p> </div> <p>In the sample architecture shown in Figure 2, Arnav and Ana are users who each have the attributes <span>department</span> and <span>AppID</span>. These attributes are created and updated in the external directory—Okta in this case. The attribute <span>department</span> is automatically synchronized between IAM Identity Center and Okta using SCIM. The attribute <span>AppID</span> is a custom attribute configured on Okta, and is passed to AWS as a SAML assertion. Both users are configured to use the same IAM Identity Center permission set that allows them to retrieve the value of secrets stored in Secrets Manager. However, access is granted based on the tags associated with the secret and the attributes assigned to the user. </p> <p>For example, user Arnav can only retrieve the value of the <span>RDS_Master_Secret_AppAlpha</span> secret. Although both users work in the same department, Arnav can’t retrieve the value of the <span>RDS_Master_Secret_AppBeta</span> secret in this sample architecture.</p> <h2>Prerequisites</h2> <p>Before you implement the solution in this blog post, make sure that you have the following prerequisites in place:</p> <ol> <li>You have <a href="https://docs.aws.amazon.com/singlesignon/latest/userguide/getting-started.html" target="_blank" rel="noopener">IAM Identity Center</a> enabled for your organization and connected to an <a href="https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-identity-source-idp.html" target="_blank" rel="noopener">external IdP</a> using SAML 2.0 identity federation.</li> <li>You have IAM Identity Center configured for automatic provisioning with an external IdP using the <a href="https://docs.aws.amazon.com/singlesignon/latest/userguide/provision-automatically.html" target="_blank" rel="noopener">SCIM v2.0</a> standard. SCIM keeps your IAM Identity Center identities in sync with identities from the external IdP.</li> </ol> <h2>Solution implementation</h2> <p>In this section, you will learn how to enable access to Secrets Manager using ABAC by completing the following steps:</p> <ol> <li>Configure ABAC in IAM Identity Center</li> <li>Define custom attributes in Okta</li> <li>Update configuration for the IAM Identity Center application on Okta </li> <li>Make sure that required tags are assigned to secrets in Secrets Manager</li> <li>Create and assign a permission set with an ABAC policy in IAM Identity Center</li> <li>Define guardrails to enforce access using ABAC</li> </ol> <h3>Step 1: Configure ABAC in IAM Identity Center</h3> <p>The first step is to set up attributes for your ABAC configuration in IAM Identity Center. This is where you will be mapping the attribute coming from your identity source to an attribute that IAM Identity Center passes as a session tag. The <strong>Key</strong> represents the name that you are giving to the attribute for use in the permission set policies. You need to specify the exact name in the policies that you author for access control. For the example in this post, you will create a new attribute with <strong>Key</strong> of <span>department</span> and <strong>Value</strong> of <span>${path:enterprise.department}</span>. For supported external IdP attributes, see <a href="https://docs.aws.amazon.com/singlesignon/latest/userguide/attributemappingsconcept.html" target="_blank" rel="noopener">Attribute mappings</a>.</p> <h4>To configure ABAC in IAM Identity Center (console)</h4> <ol> <li>Open the IAM Identity Center console.</li> <li>In the <strong>Settings </strong>menu, enable <strong>Attributes for access control</strong>.</li> <li>Choose the <strong>Attributes for access control</strong> tab, select <strong>Add attribute</strong>, and then enter the <strong>Key </strong>and <strong>Value </strong>details as follows. <ul> <li><strong>Key</strong>: <span>department</span></li> <li><strong>Value</strong>: <span>${path:enterprise.department}</span></li> </ul> </li> </ol> <blockquote> <p><strong>Note: </strong>For more information, see <a href="https://docs.aws.amazon.com/singlesignon/latest/userguide/attributesforaccesscontrol.html" target="_blank" rel="noopener">Attributes for access control</a>.</p> </blockquote> <h3>Step 2: Define custom attributes in Okta</h3> <p>The sample architecture in this post uses a custom attribute (<span>AppID</span>) on an external IdP for access control. In this step, you will create a custom attribute in Okta.</p> <h4>To define custom attributes in Okta (console)</h4> <ol> <li>Open the <strong>Okta</strong> console.</li> <li>Navigate to <strong>Directory</strong> and then select <strong>Profile Editor</strong>.</li> <li>On the <strong>Profile Editor</strong> page, choose <strong>Okta User (default)</strong>.</li> <li>Select <strong>Add Attribute</strong> and create a new custom attribute with the following parameters. <ul> <li>For <strong>Data type</strong>, enter <span>string</span></li> <li>For <strong>Display name</strong>, enter <span>AppID</span></li> <li>For <strong>Variable name</strong>, enter <span>user.AppID</span></li> <li>For <strong>Attribute length</strong>, select <strong>Less Than</strong> from the dropdown and enter a value.</li> <li>For <strong>User permission</strong>, enter <span>Read Only</span></li> </ul> </li> <li>Navigate to <strong>Directory</strong>, select <strong>People</strong>, choose in-scope users, and enter a value for <strong>Department </strong>and <strong>AppID</strong> attributes. The following shows these values for the users in our example. <ul> <li><strong>First name (firstName)</strong>: <span>Arnav</span></li> <li><strong>Last name (lastName)</strong>: <span>Desai</span></li> <li><strong>Primary email (email)</strong>: <span>arnav.desai@example.net</span></li> <li><strong>Department (department)</strong>: <span>Digital</span></li> <li><strong>AppID</strong>: <span>Alpha</span><br> </li> <li><strong>First name (firstName)</strong>: <span>Ana</span></li> <li><strong>Last name (lastName)</strong>: <span>Carolina</span></li> <li><strong>Primary email (email)</strong>: <span>ana.carolina@example.net</span></li> <li><strong>Department (department)</strong>: <span>Digital</span></li> <li><strong>AppID</strong>: <span>Beta</span></li> </ul> </li> </ol> <h3>Step 3: Update SAML configuration for IAM Identity Center application on Okta</h3> <p>Automatic provisioning (through the SCIM v2.0 standard) of user and group information from Okta into IAM Identity Center supports a set of <a href="https://docs.aws.amazon.com/singlesignon/latest/userguide/attributemappingsconcept.html" target="_blank" rel="noopener">defined attributes</a>. A custom attribute that you create on Okta won’t be automatically synchronized to IAM Identity Center through SCIM. You can, however, define the attribute in the SAML configuration so that it is inserted into the SAML assertions.</p> <h4>To update the SAML configuration in Okta (console)</h4> <ol> <li>Open the <strong>Okta</strong> console and navigate to <strong>Applications</strong>.</li> <li>On the <strong>Applications</strong> page, select the app that you defined for IAM Identity Center.</li> <li>Under the <strong>Sign On</strong> tab, choose <strong>Edit</strong>.</li> <li>Under <strong>SAML 2.0</strong>, expand the <strong>Attributes (Optional)</strong> section, and add an attribute statement with the following values, as shown in Figure 3: <div id="attachment_29149" class="wp-caption aligncenter"> <img aria-describedby="caption-attachment-29149" src="https://www.infracom.com.sg/wp-content/uploads/2023/04/img3-3-1024x921-1.png" alt="Figure 3: Sample SAML configuration with custom attributes" width="720" class="size-large wp-image-29149"> <p id="caption-attachment-29149" class="wp-caption-text">Figure 3: Sample SAML configuration with custom attributes</p> </div> </li> <li>To check that the newly added attribute is reflected in the SAML assertion, choose <strong>Preview SAML</strong>, review the information, and then choose <strong>Save</strong>.</li> </ol> <h3>Step 4: Make sure that required tags are assigned to secrets in Secrets Manager</h3> <p>The next step is to make sure that the required tags are assigned to secrets in Secrets Manager. You will review the required tags from the Secrets Manager console.</p> <h4>To verify required tags on secrets (console)</h4> <ol> <li>Open the <strong>Secrets Manager</strong> console in the target AWS account and then choose <strong>Secrets</strong>.</li> <li>Verify that the required tags are assigned to the secrets in scope for this solution, as shown in Figure 4. In our example, the tags are as follows: <ul> <li><strong>Key</strong>: <span>department</span></li> <li><strong>Value</strong>: <span>Digital</span></li> <li><strong>Key</strong>: <span>AppID</span></li> <li><strong>Value</strong>: <span>Alpha or Beta</span></li> </ul> <div id="attachment_29150" class="wp-caption aligncenter"> <img aria-describedby="caption-attachment-29150" src="https://www.infracom.com.sg/wp-content/uploads/2023/04/img4-3-1024x467-1.png" alt="Figure 4: Sample secret configuration with required tags" width="720" class="size-large wp-image-29150"> <p id="caption-attachment-29150" class="wp-caption-text">Figure 4: Sample secret configuration with required tags</p> </div> </li> </ol> <h3 id="step-5a">Step 5a: Create a permission set in IAM Identity Center using ABAC policy</h3> <p>In this step, you will create a new permission set that allows access to secrets based on the principal attributes and resource tags.</p> <p>When you enable ABAC and specify attributes, IAM Identity Center passes the attribute value of the authenticated user to <a href="https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html" target="_blank" rel="noopener">AWS Security Token Service (AWS STS)</a> as <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html" target="_blank" rel="noopener">session tags</a> when an IAM role is assumed. You can use access control attributes in your permission sets by using the <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-principaltag" target="_blank" rel="noopener">aws:PrincipalTag</a> condition key to create access control rules.</p> <h4>To create a permission set (console)</h4> <ol> <li>Open the <strong>IAM Identity Center</strong> console and navigate to <strong>Multi-account permissions</strong>.</li> <li>Choose <strong>Permission sets</strong>, and then select <strong>Create permission set</strong>.</li> <li>On the <strong>Specify policies and permissions boundary </strong>page, choose <strong>Inline policy.</strong></li> <li>For <strong>Inline policy</strong>, paste the following sample policy document and then choose <strong>Next</strong>. This policy allows users to retrieve the value of only those secrets that have resource tags that match the required user attributes (<span>department</span> and <span>AppID</span> in our example). <div class="hide-language"> <pre><code class="lang-text">{"Version": "2012-10-17","Statement": [ { "Sid": "ListAllSecrets", "Effect": "Allow", "Action": [ "secretsmanager:ListSecrets" ], "Resource": "*" }, { "Sid": "AuthorizetoGetSecretValue", "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret" ], "Resource": "*", "Condition": { "StringEquals": { "secretsmanager:ResourceTag/department": "${aws:PrincipalTag/department}", "secretsmanager:ResourceTag/AppID": "${aws:PrincipalTag/AppID}" } } }]


 <li>Configure the session duration, and optionally provide a description and tags for the permission set.</li> <li>Review and create the permission set.</li> <h3>Step 5b: Assign permission set to users in IAM Identity Center</h3> Now that you have created a permission set with ABAC policy, complete the configuration by assigning the permission set to users to grant them access to secrets in one or more accounts in your organization.</p> <h4>To assign a permission set (console)</h4> <ol> <li>Open the <strong>IAM Identity Center</strong> console and navigate to <strong>Multi-account permissions</strong>.</li> <li>Choose <strong>AWS accounts</strong> and select one or more accounts to which you want to assign access.</li> <li>Choose <strong>Assign users or groups</strong>.</li> <li>On the <strong>Assign users and groups </strong>page, select the users, groups, or both to which you want to assign access. For this example, I select both Arnav and Ana.</li> <li>On the <strong>Assign permission sets</strong> page, select the permission set that you created in the previous section.</li> <li>Review your changes, as shown in Figure 5, and then select <strong>Submit.</strong></li> </ol> <div id="attachment_29151" class="wp-caption aligncenter"> <img aria-describedby="caption-attachment-29151" src="https://www.infracom.com.sg/wp-content/uploads/2023/04/img5-3.png" alt="Figure 5: Sample permission set assignment" width="760" class="size-full wp-image-29151" /> <p id="caption-attachment-29151" class="wp-caption-text">Figure 5: Sample permission set assignment</p> </div> <h3>Step 6: Define guardrails to enforce access using ABAC</h3> <p>To govern access to secrets to your workforce users only through ABAC and to help prevent unauthorized access, you can define guardrails. In this section, I will show you some sample <a href="https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html" target="_blank" rel="noopener">service control policies (SCPs)</a> that you can use in your organization.</p> <blockquote> <p><strong>Note</strong>: Before you use these sample SCPs, you should carefully review, customize, and test them for your unique requirements. For additional instructions on how to attach an SCP, see <a href="https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_attach.html" target="_blank" rel="noopener">Attaching and detaching service control policies</a>.</p> </blockquote> <h3>Guardrail 1 – Enforce ABAC to access secrets</h3> <p>The following sample SCP requires the use of ABAC to access secrets in Secrets Manager. In this example, users and secrets must have matching values for the attributes <span>department</span> and <span>AppID</span>. Access is denied if those attributes don’t exist or if they don’t have matching values. Also, this example SCP allows only the admin role to access secrets without matching tags. Replace <span></span> with your own information.</p> <div class="hide-language"> <pre><code class="lang-text">{"Version": "2012-10-17","Statement": [ { "Sid": "DenyAccesstoSecretsWithoutABACTag", "Effect": "Deny", "Action": [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret" ], "Resource": "<em>", "Condition": { "StringNotEqualsIfExists": { "secretsmanager:ResourceTag/department": "${aws:PrincipalTag/department}", "secretsmanager:ResourceTag/AppID": "${aws:PrincipalTag/AppID}" }, "ArnNotLike": { "aws:PrincipalArn": "<span></span>" } } }]


Maintain tagging on key development in Guardrail 2.

The following survey SCP refutes the idea that new secrets can be created without the necessary label key-value sets. If the division and AppID sticker keys are absent from this example, the SCP rejects the creation of a new secret. Additionally, it prevents exposure if the label department’s’s value is Digital and the Tag AppID doesn’t contain either Alpha or Beta assigned to it. Additionally, in this instance, SCP hardly permits the administration part to design secrets that do not match tags. Remove the information with your own.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyCreatingResourcesWithoutRequiredTag", "Effect": "Deny", "Action": [ "secretsmanager:CreateSecret" ], "Resource": [ "arn:aws:secretsmanager:::secret:" ], "Condition": { "StringNotEquals": { "aws:RequestTag/department": ["Digital"], "aws:RequestTag/AppID": ["Alpha", "Beta"] }, "ArnNotLike": { "aws:PrincipalArn": "" } } } ]}

Limit the omission of ABAC keywords in Guardrail 3.

The ability to remove the keywords used for ABAC is denied by the following test SCP. The tags division and AppID in this instance can only be removed by the administration part once they have been linked to a secret. Remove the information with your own.

Guardrail 4 – Limiting the use of ABAC keywords

The ability to change necessary identifiers for ABAC after they are attached to a secret is denied by the following test SCP. In this instance, once the tags division and AppID are attached to a secret, only the administration factor is change them. Change with your own data.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyModifyingABACTags", "Effect": "Deny", "Action": [ "secretsmanager:TagResource" ], "Resource": [ "arn:aws:secretsmanager:::secret:*" ], "Condition": { "Null": { "aws:ResourceTag/department": "false", "aws:ResourceTag/AppID": "false" }, "ArnNotLike": { "aws:PrincipalArn": "" } } } ]}

Examine the answer

You may study the answer in this area by using the Secrets Manager system to retrieve a secret. Only when the necessary aid and key keywords are present and have matching prices( AppID and department in our example ) did your attempt to retrieve the key value become successful.

First check situation: Obtain and evaluate an authorised secret’s’s value.

You may check your ability to successfully get the value of a key associated with your application during this test.

To test the hypothesis

  1. Register in with your physical IdP individual and the IAM Identity Center. I log in as Arnav in this instance.
  2. Choose the goal account from the IAM Identity Center platform.
  3. Find the purpose you created in Step 5a from the number of accessible functions, then take Management system, as shown in Figure 6. I choose the SecretsManagerABACTest permit set for this instance.

    Sample IAM Identity Center platform in Check 6

    Sample IAM Identity Center platform in Check 6

  4. Choose a secret that belongs to your request by opening the Secrets Manager system. For this instance, I choose RDS_ Master_ Secret_ AppAlpha.The ABAC plan permitted the user to define the key, as shown in Figure 7, because the AppID and division tags are present on both the hidden and the logged-in user.

Check 7: Test key that was successfully described

Check 7: Test key that was successfully described

  • Select Get surprise value from the section with hidden values.The ABAC insurance enables the user to get the key importance because the asset tags, AppID and department, match the value of the corresponding user attributes( in other words, the primary tags ).

    Figure 8: Effectively retrieved sample secret value

    Figure 8: Effectively retrieved sample secret value

Grab and assess the value of an illicit secret in test scenario 2.

You may check your ability to get the value of a secret that is part of another application during this test.

To test the hypothesis

  1. Repetition of steps 1 through 3 from study situation 1.
  2. Choose a formula that is part of another application by opening the Secrets Manager console. I choose RDS_ Master_ Secret_ AppBeta for this illustration.The ABAC policy prevents access to explain the secret because the asset label AppID’s’s worth differs from the value of the corresponding user attribute( primary label ), as shown in Figure 9.

    Check 9: An unauthorised secret is described with a sample error.

    Check 9: An unauthorised secret is described with a sample error.


You learned how to build strong policies that can make access administration to Secrets Manager easier using IAM Identity Center configured with an external IdP in this post. It also covered the basics of implementing an ABAC technique using attributes. Additionally, you gained knowledge of how to control aid tags used for ABAC and set up scaffolding to compel access to stories while using it. See Attribute-Based Access Control( ABAC ) for AWS and the Secrets Manager documentation to find out more about ABAC and AMS.

Please leave feedback in the Comments area here if you have any comment on this forum post. Create a new ribbon on AWS Secrets Manager re: Post if you have any doubts about this blog post.

Need more information on AWS Security? Become our Twitter follower.

 <!-- '"` --> 
%d bloggers like this: