|
|
|
|
|
|
by flurie
1960 days ago
|
|
|
ABAC is ideally much more than just scoping small sets of policy to tags. I think the problem of trying to shoehorn ABAC into AWS's IAM system, even with something implementing proper ABAC on top of it, is that you run the risk of hitting limits on role policy attachments (hard limit of 20!). There is probably a way to juggle user function across different roles, though then there's a risk of exhausting roles or still not being able to shoehorn a minimally viable policy for some function based on fine-grained attributes. |
|
|