ABAC helps enterprises simplify fine-grained access to AWS resources by using attributes from their corporate directories in permissions rules.

When an employee federates into AWS from a standards-compliant identity provider (IdP) such as PingFederate or PingOne for Enterprise, the administrator can include attributes such as cost center, job title, and email address in the AWS session. These attributes function as session tags and can be matched to tags on AWS resources to control their access to resources during their AWS session.

For example, an employee with job title “Systems Engineer” and cost center “Stratford” could be granted write access to an Amazon EC2 table that is also tagged with cost center “Stratford.”

You can configure PingFederate or PingOne for Enterprise to send attributes in the AWS sessions when your users federate into AWS. Then, you can implement a policy in AWS that evaluates the attributes from PingFederate or PingOne for Enterprise to control access to AWS resources.

For more information, see the following:

To use AWS session tags for ABAC, complete the steps in one or more of the following topics.