This repository contains Infrastructure as Code (IaC) for implementing an Attribute-Based Access Control (ABAC) system in AWS using Okta as a SAML 2.0 identity provider. The system provides fine-grained access control based on user and resource attributes.
- AWS Account with administrative access
- Okta Administrator access
- Terraform >= 1.0.0
- AWS CLI configured with appropriate credentials
- Git
The system implements:
- SAML 2.0 federation with Okta
- Attribute-based access control using AWS tags
- Team-based resource segregation
- Environment-based access control (dev/staging/prod)
- S3 bucket and EC2 instance management
- Clone the repository:
git clone https://github.com/YOUR-USERNAME/aws-okta-abac.git
cd aws-okta-abac-
Configure Okta (Prerequisites):
- Log into your Okta Admin Console
- Navigate to Applications > Applications > Create App Integration
- Select SAML 2.0 as the sign-in method
- Download the IdP metadata XML file
- Save it as
okta-metadata.xmlin the project root
-
Update Configuration:
- Create a
terraform.tfvarsfile:
- Create a
aws_region = "us-west-2" # Your preferred region
aws_account_id = "123456789012" # Your AWS account ID
okta_org_id = "your-okta-org-id"- Initialize and Apply Terraform:
terraform init
terraform plan
terraform apply-
Create the AWS App in Okta:
- Use the
okta-app-config.jsonfile as a reference - Set the ACS URL to: https://signin.aws.amazon.com/saml
- Configure SAML attribute statements:
- Role:
https://aws.amazon.com/SAML/Attributes/Role - RoleSessionName:
https://aws.amazon.com/SAML/Attributes/RoleSessionName - Team: Custom attribute mapping
- Environment: Custom attribute mapping
- Role:
- Use the
-
Configure Group Assignments:
- Create groups in Okta matching your teams
- Assign users to appropriate groups
- Map groups to AWS roles in the app configuration
The system creates:
-
S3 Buckets:
- One bucket per team/environment
- Tagged with appropriate team and environment values
-
EC2 Instances:
- Sample instances for each environment
- Tagged with team and environment attributes
-
IAM Roles:
- SAML provider role for Okta integration
- ABAC roles for resource access
- Team-specific roles with appropriate permissions
-
Tag Management:
- Implement tag validation
- Regular tag audit procedures
- Automated tag compliance checking
-
Access Reviews:
- Regular role and permission reviews
- Session duration monitoring
- Access pattern analysis
-
Best Practices:
- Enable AWS CloudTrail
- Implement AWS Organizations
- Use AWS KMS for encryption
- Regular security assessments
- Add new team to the teams variable in
main.tf:
locals {
teams = ["development", "production", "staging", "new-team"]
}- Create corresponding Okta groups and attribute mappings
- Update the ABAC role policy in
main.tf:
inline_policy {
name = "abac-resource-access"
policy = jsonencode({
# Add or modify permissions here
})
}Common issues and solutions:
-
SAML Authentication Failures:
- Verify metadata file is current
- Check role ARN mappings
- Validate group assignments
-
Access Denied Errors:
- Verify resource tags match user attributes
- Check role trust relationships
- Validate ABAC policy conditions
-
Resource Creation Failures:
- Verify AWS credentials
- Check resource naming conflicts
- Validate region settings
Regular maintenance tasks:
- Update Terraform providers:
terraform init -upgrade-
Rotate SAML certificates:
- Download new metadata from Okta
- Update AWS SAML provider
-
Audit and clean up:
terraform plan
terraform apply- Fork the repository
- Create a feature branch
- Submit a pull request
MIT License - See LICENSE file for details
For issues:
- Check the troubleshooting guide
- Open a GitHub issue
- Contact your AWS/Okta support teams
- 1.0.0: Initial release
- Basic ABAC implementation
- Okta SAML integration
- Resource management