Module5: ABAC in AWS

This tutorial shows how to create and test a policy that allows IAM roles with principal tags to access resources with matching tags. When a principal makes a request to AWS, their permissions are granted based on whether the principal and resource tags match. This strategy allows individuals to view or edit only the AWS resources required for their jobs.


Assume that you’re a lead developer at a large company named Example Corporation, and you’re an experienced IAM administrator. You’re familiar with creating and managing IAM users, roles, and policies. You want to ensure that your development engineers and quality assurance team members can access the resources they need. You also need a strategy that scales as your company grows.

Your Engineering and Quality Assurance team members are on either the Pegasus or Unicorn project. You choose the following 3-character project and team tag values:

access-project = peg for the Pegasus project

access-project = uni for the Unicorn project

access-team = eng for the Engineering team

access-team = qas for the Quality Assurance team

In this tutorial, you will tag each resource, tag your project roles, and add policies to the roles to allow the behavior previously described. The resulting policy allows the roles Create, Read, Update, and Delete access to resources that are tagged with the same project and team tags. The policy also allows cross-project Read access for resources that are tagged with the same team.