What is Attribute-Based Access Control (ABAC)?
ABAC is an authorization model where access is granted based on tags (attributes) on principals and resources rather than on static lists of resource ARNs.
In AWS, ABAC uses tag condition keys such as aws:PrincipalTag, aws:ResourceTag, and aws:RequestTag. A single policy can say a principal may act on any resource whose tag matches the principal tag, which scales as new resources are created without rewriting policies.
ABAC reduces policy sprawl, but it depends entirely on tag hygiene. If users can set their own tags or tags are inconsistent, the model can grant unintended access, so tag governance and the aws:TagKeys condition matter.
Example
{
"Condition": {
"StringEquals": { "aws:ResourceTag/team": "${aws:PrincipalTag/team}" }
}
}Common mistake
Adopting ABAC without controlling who can set tags. If a principal can change its own or a resource tag, it can widen its own access.
Related terms
Analyze a real policy free
Shieldly's AI-Powered analyzer explains why an IAM policy is risky and returns the fix in seconds. No signup, no AWS credentials. Also ships as CLI, VS Code extension, GitHub Action, and CDK Guard.
Amazon Web Services (AWS) is a trademark of Amazon.com, Inc. Shieldly is not affiliated with, endorsed by, or sponsored by Amazon Web Services.