AWS Attribute-Based Access Control (ABAC) With Tags
Attribute-based access control (ABAC) is an authorization strategy to manage access and permissions to AWS resources. Custom attribute labels can be assigned to AWS resources by you or AWS. Each tag consists of two parts: a tag key and a tag value. Both are case sensitive. Tags can be used to categorize resources by owner, environment or other criteria. Tags also allow conditional access to AWS resources through the use of ABAC policies that combine different attributes together.
This blog post shows you how to use tags to restrict the access to secrets in AWS secrets manager and how to limit users to tag/untag secrets with allowed properties, so hopefully you will have a better understanding about how to use tags to extend authorization for all AWS resources in domain of ABAC.
Scenario
There are 3 secrets in the AWS secrets manager. As an experienced IAM administrator, you want to restrict IAM users to access their own secrets in secrets manager, and IAM users can only add or delete “date” tag on their secrets. To achieve it, you decide to use ABAC policy to allow IAM users with principal tags to access secret with matching tags.
ABAC Implementation
You start with AWS secrets manager, and attach tags to these three secrets. awsseclabsec and awsseclabsec-1 are associated with project peg and team eng.
These three secrets with the attached tags are listed as below:
One IAM user named awsSecLab is in the team eng that owns project peg, he needs the access to awsseclabsec and awsseclabsec-1 secrets. So you attach the following tags to the IAM user:
Now it is time to create the ABAC policy. To learn which tagging condition keys you can use in a policy with each service’s actions and resources, see Actions, Resources, and Condition Keys for AWS Services. Navigate to secrets manager section to get more details.
To ensure IAM user awsSecLab to follow the secret access rule you laid down, you add the following policy to the IAM user.
When crafting the condition part in the policy, you find that for some actions like DescribeSecret, there are secretsmanager:ResourceTag/tag-key and aws:ResourceTag/${TagKey} in the following Condition keys column. You might be confused by the difference between these two conditional keys, and AWS explanation about each of them is vague. In practice, it is found that they can be exchangeable as long as both of them are supported by AWS for the specified action.
Regarding the aws:TagKeys condition key, it only works for three actions: CreateSecret, TagResource and UntagResource, and it doesn’t affect other actions like DescribeSecret mentioned above.
Validate ABAC Strategy
After apply the aforementioned policy to IAM user awsSecLab, you let IAM user awsSecLab try it out.
Test 1 — try to access three secrets in Secrets Manager
Firstly, the IAM user accesses his own secrets: awsseclabsec and awsseclabsec-1, everything works fine as both of the secrets have the matching tags: project=peg and team=eng for the DescribeSecret action.
But when he tries to access appseclab, the attempt fails due to unmatched tags.
The error message “You don’t have permission to describe secrets in Secrets Manager. You don’t have permission to view secret details. Contact your administrator to obtain DescribeSecret access.” shows up on the secret GUI.
Test 2 — try to change tags for awsseclabsec and awsseclabsec-1
The IAM user wants to remove owner tag from awsseclabsec, but the updating fails as the policy doesn’t allow him to TagResource/UntagResource unless the tags are in TagKeys list: “project”, “team”, “date”.
He navigates to awsseclabsec-1 and attempts to add “date” tag to the secret. The operation is successful as it meets the permission policy.
Summary
Now you’ve learned how to use tags to implement ABAC. You enforced the ACAB strategy to your principal and resources. If you think this blog post is helpful, please click the clap 👏 button below a few times to show your support!
From Infosec Writeups: A lot is coming up in the Infosec every day that it’s hard to keep up with. Join our weekly newsletter to get all the latest Infosec trends in the form of 5 articles, 4 Threads, 3 videos, 2 Github Repos and tools, and 1 job alert for FREE!
