Posted On: Nov 25, 2019

Earlier today, Amazon Identity and Access Management (IAM) enabled you to use your employees’ existing identity attributes such as cost center and department from your directory to create fine-grained permissions in Amazon Web Services. Your administrators can use these employee attributes in Amazon Web Services to implement attribute-based access control to Amazon Web Services resources and simplify permissions management at scale in the Amazon Web Services China (Beijing) Region, Operated by Sinnet and in Amazon Web ServicesChina (Ningxia) Region, Operated by NWCD.  

One way to grant your employees access to Amazon Web Services resources is through identity federation. You can use a standards-compliant identity provider (IdP) to manage federated access for employees’ identities stored in your corporate directory. Customers told us they want to utilize identity attributes from their directory to simplify the administrative and end user experience for managing access for federated users. With this launch, your administrators can now configure your IdP to send employee attributes in the Amazon Web Services session when employees federate into Amazon Web Services. Using these attributes as tags in Amazon Web Services, you can simplify creation of fine-grained permissions such that employees get access only to the Amazon Web Services resources with matching tags. This helps to reduce the number of distinct permissions you need to create and manage in your Amazon Web Services account. For example, when developers Bob from team red and Sally from team blue federate into Amazon Web Services and assume the same IAM role, they get distinct permissions to project resources tagged for their team, only. This is because the IdP sends the team name attribute in the Amazon Web Services session when Bob and Sally federate into Amazon Web Services and the role’s permissions grant access to project resources with matching team name tags. Now if Bob moves to team blue and you update his team name in your directory, Bob automatically gets access to team blue’s project resources without requiring permissions updates in IAM.

Amazon identity partners Ping Identity, OneLogin, Auth0, Forgerock, IBM, and RSA have certified the end-to-end experience for this new capability with their identity solutions, and we look forward to additional partners certifying this capability. Please reach out to your standards-compliant identity provider for guidance. To learn more about how to connect your corporate identities to permissions rules in Amazon Web Services, visit  identity provider and federation.