We’re excited today to announce Britive’s support for attribute-based access control (ABAC), a new integration with AWS. This new integration will enable mutual customers of Britive and AWS to achieve ABAC for secure authentication and authorization to multiple AWS accounts. This new capability builds on Britive’s previously announced support for role-based access control (RBAC), and significantly simplifies and expands the ability of Britive customers to implement fine-grained authorization of users at scale in AWS environments.
One of the most fundamental challenges to securing the identity-defined perimeter is the ability to easily manage and secure the cloud identity lifecycle – from the quick onboarding of new employees and contractors, through the maintenance of Least Privilege Access (LPA) and Zero Standing Privileges (ZSP) for those users while they are working in the cloud, to the complete removal of accounts and access when terminated employees and contractors leave the organization. The new ABAC capabilities help Britive customer strengthen their secure permissioning for distributed teams, while reducing the costs associated with managing their AWS deployments.
On the AWS blog, the functionality of the new ABAC features was outlined in detail:
Using user attributes as tags in AWS helps you simplify the process of creating fine-grained permissions in AWS and ensures that your workforce gets access only to the AWS resources with matching tags. For example, you can assign developers Bob and Sally from two different teams to the same permission set in AWS SSO, and then select the team name attribute for access control. When Bob and Sally sign in to their AWS accounts, AWS SSO sends their team name attributes in the AWS session, so Bob and Sally can access AWS project resources only if their team name attribute matches the tag value of the project resource. If Bob moves to Sally’s team in the future, you can modify his access by simply updating his team name attribute in the corporate directory. When Bob signs in next time, he will automatically get access to the project resources of his new team without requiring any permissions updates in AWS.
This approach helps in reducing the number of distinct permissions you need to create and manage AWS access control as users associated with the same permission sets can now have unique permissions based on their attributes—an effective way to shrink the attack surface potentially exposed through permissioning in AWS.
With Britive’s dynamic Just-in-Time (JIT) provisioning integrated into the process, AWS users will be able to further reduce their exposure. The benefits of ABAC are immediate and wide-ranging:
Now solutions using ABAC can change and grow teams quickly
Permissions for new resources are automatically granted based on attributes when resources are appropriately tagged upon creation.
Track who is accessing resources
Security administrators can easily determine the identity of a session by looking at the user attributes in AWS CloudTrail to track user activity in AWS.
Use employee attributes from your corporate directory with ABAC
You can use existing employee attributes from any identity source configured in AWS expanding on the controls of AWS Service Control Policies to make access control decisions in AWS at a more granular layer.
Ready to learn more about Britive’s dynamic permissioning capabilities and how our platform integrates with AWS? Please check out our video on DevOps automation, or go ahead and request a demo and we’ll start a direct conversation.