In our organization we use corporate identities to log into the AWS console using SAML. The users are authenticated by our internal IDP which generates a SAML assertion and posts it to the console sign in URL. The user is then presented an AWS page wherein they need to select the role that they want to log into the console. I am exploring if there is a way to inject Session policies at the time of this role assumption so that the effective permissions available to the users can be reduced.
Is there a way session policies can be injected into the SAML assertion itself? If yes, what is the attribute name? I could not find it on the AWS documentation.
If it can’t be added to the assertion is there another way to do it?
I reviewed the AWS Documentation and it doesn’t seem to have any details with regards to this. An AWS blog just says -
“A session policy is an inline permissions policy which users pass in the session when they assume the role. You can pass the policy yourself, or you can configure your broker to insert the policy when your identities federate in to AWS (if you have an identity broker configured in your environment). This allows your administrators to reduce the number of roles they need to create, since multiple users can assume the same role yet have unique session permissions.”
without providing any details around how to do it.
