Enable and configure attributes for access control

To use ABAC in all cases, you must first enable ABAC using the IAM Identity Center console or the IAM Identity Center API. If you choose to use IAM Identity Center to select attributes, you use the Attributes for access control page in the IAM Identity Center console or the IAM Identity Center API. If you use an external identity provider (IdP) as an identity source and choose to send attributes through the SAML assertions, you configure your IdP to pass the attributes. If a SAML assertion passes any of these attributes, IAM Identity Center will replace the attribute value with the value from the IAM Identity Center identity store. Only attributes configured in IAM Identity Center will be sent over for making access control decisions when users federate into their accounts.

Note

You cannot view attributes configured and sent by an external IdP from the Attributes for access control page in the IAM Identity Center console. If you are passing access control attributes in the SAML assertions from your external IdP, then those attributes are directly sent to the AWS account when users federate in. The attributes won’t be available in IAM Identity Center for mapping.

Topics

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Attributes for access control

Enable attributes for access control