Introducing a scalable integrity framework for Attribute-Based Access Control (ABAC) on AWS. This project enhances management and oversight through centralized tagging integrity, multi-party approval for sensitive actions, and AWS SSO integration. While still in early development, it aims to empower organizations to maintain tight control over access in a secure cloud environment.
Control Tags is a robust and scalable integrity framework designed for implementing Attribute-Based Access Control (ABAC) on AWS. This innovative solution allows users to manage tagging integrity through a centralized and hierarchical approach, ensuring compliance and security in multi-party environments.
Key Features
- Centralized Management: Streamline tagging integrity for ABAC on AWS, effectively managing sensitive resources and actions with ease.
- Multi-Party Approval: Requires approval for sensitive actions, known as guarded actions, and for sensitive resources, referred to as resource seals, enhancing security protocols.
- AWS SSO Integration: Seamlessly integrates with AWS Single Sign-On, allowing for efficient user access management within organizations.
Demo
Example Usage
To showcase its functionality, the Control Tags module can be utilized within a Terraform configuration. Below is an example of how to implement it:
module "control_tags" {
source = "../../control-tags/terraform/control-tags"
well_known_tag_keys = ["team", "env", "info/*"]
deployment_targets = {
organizational_unit_ids = [aws_organizations_organizational_unit.control_tags_goverened.id]
account_ids = []
}
sso_mirror_spec = {
"${aws_ssoadmin_permission_set.admin.arn}" = {
grant_area_suffix = "admin"
}
}
emit_scp_sids = "long"
lambda_archive_file = "../../control-tags/target/lambda/retention-lambda/bootstrap.zip"
guarded_action_spec = {
"s3" = {
actions = ["s3:DeleteBucket"]
deployment_targets = {
organizational_unit_ids = [aws_organizations_organizational_unit.control_tags_goverened.id]
}
}
}
}
Command Line Interface (CLI) Usage
Utilizing tagctl, users can manage approval tickets effectively. Here are some essential commands:
Display Help
tagctl -h
Get Approval Ticket
tagctl ticket get
Set Approval Ticket
tagctl ticket set bob
Unset Approval Ticket
tagctl ticket unset
Note
This project is in early development. Users are advised to exercise caution when employing this framework in production environments, as breaking changes are expected.
Control Tags provides an essential solution for organizations looking to enhance their access management in the cloud while maintaining robust security and compliance standards. With its innovative features and seamless integration, Control Tags is the ideal choice for modern enterprises aiming to streamline their AWS environments.