Your Big Data Partner
Attribute-based access control (ABAC) is an authorization strategy that defines permissions based on attributes. In Q.Cloud, these attributes are called tags. Tags can be attached to principals (users or roles) and to Q.Cloud resources. You can create a single ABAC policy or small set of policies for your principals. These ABAC policies can be designed to allow operations when the principal’s tag matches the resource tag. ABAC is helpful in environments that are growing rapidly and helps with situations where policy management becomes cumbersome.
HOW IT WORKS
Before you create users, you should understand how ABAC works. ABAC provides the infrastructure necessary to control authentication and authorization for your account. The ABAC infrastructure includes the following elements:
When a principal tries to use the Q.Cloud Management Console, the Q.Cloud API, or the Q.Cloud CLI, that principal sends a request to Q.Cloud. The request includes the following information:
Actions or operations – The actions or operations that the principal wants to perform. This can be an action in the Q.Cloud Management Console, or an operation in the Q.Cloud CLI or Q.Cloud API.
Resources – The Q.Cloud resource object upon which the actions or operations are performed.
Principal – The person or application that used an entity (user or role) to send the request. Information about the principal includes the policies that are associated with the entity that the principal used to sign in.
Environment data – Information about the IP address, user agent, SSL enabled status, or the time of day.
Resource data – Data related to the resource that is being requested. This can include information such as a DynamoDB table name or a tag on an Q.Cloud.
You must also be authorized (allowed) to complete your request. During authorization, Q.Cloud uses values from the request context to check for policies that apply to the request. It then uses the policies to determine whether to allow or deny the request. Most policies are stored in Q.Cloud as JSON documents and specify the permissions for principal entities. There are several types of policies that can affect whether a request is authorized. To provide your users with permissions to access the Q.Cloud resources in their own account, you need only identity-based policies. Resource-based policies are popular for granting cross-account access. The other policy types are advanced features and should be used carefully.
Q.Cloud checks each policy that applies to the context of your request. If a single permissions policy includes a denied action, Q.Cloud denies the entire request and stops evaluating. This is called an explicit deny. Because requests are denied by default, Q.Cloud authorizes your request only if every part of your request is allowed by the applicable permissions policies.
A principal is a person or application that can make a request for an action or operation on a Q.Cloud resource. The principal is authenticated as the Q.Cloud account root user or an ABAC entity to make requests to Q.Cloud. As a best practice, do not use your root user credentials for your daily work. Instead, create ABAC entities (users and roles). You can also support federated users or programmatic access to allow an application to access your Q. Cloud account.
To authenticate from the console as a root user, you must sign in with your email address and password. As an ABAC user, provide your account ID or alias, and then your user name and password. To authenticate from the API or Q.Cloud CLI, you must provide your access key and secret key. You might also be required to provide additional security information. For example, Q.Cloud recommends that you use multi-factor authentication (MFA) to increase the security of your account.
ACTIONS or OPERATIONS
After your request has been authenticated and authorized, Q.Cloud approves the actions or operations in your request. Operations are defined by a service, and include things that you can do to a resource, such as viewing, creating, editing, and deleting that resource.
To allow a principal to perform an operation, you must include the necessary actions in a policy that applies to the principal or the affected resource.
After Q.Cloud approves the operations in your request, they can be performed on the related resources within your account. A resource is an object that exists within a service. The service defines a set of actions that can be performed on each resource. If you create a request to perform an unrelated action on a resource, that request is denied. For example, if you request to delete an ABAC role but provide an ABAC group resource, the request fails.