Home
Documentation
Modernisation Platform User Guide
Resource restrictions based on ABAC

Resource restrictions based on ABAC

Problem

The instance-management role is used to provide teams with a limited-access entrypoint into AWS accounts. For example, an application may want to provide support staff with a way to manage instances without having wider permissions. This works well in single-application situations such as our standard offering to customers (one account per application environment).

However, in shared environments (such as our core-shared-services account) offering this role to multiple teams means that they will all have permissions across the account, granting them the ability to take actions on other resources provisioned for other teams.

Feature description

Using Attribute Based Access Control on the Modernisation Platform allows the ability restrict access to resources based on the github team currently this is only implemented on the instance managment role and restricted to the core-shared-services account it will allow users to create ec2 instances for there team that only that team can control.

Where is the code

The code for this is located in the Modernisation platform repository here. If you look at the code you will see that we are using a double negative condition to do the restriction and also restricting based on aws:AccountPrincipal that leave room to expand this out to other accounts if we need to. As you can see from the example below this is the code we used to implement Using Attribute Based Access Control on the Modernisation Platform.

statement {
    sid    = "ABACEc2Deny"
    effect = "Deny"
    actions = [
      "*"
    ]
    resources = ["*"]
    condition {
      test = "ForAnyValue:StringNotLike"
      variable = "aws:PrincipalTag/github_team"

      values = [
         "*:$${aws:ResourceTag/Owner}:*",
          "$${aws:ResourceTag/Owner}:*",
          "*:$${aws:ResourceTag/Owner}"
        ]
      }
    condition {
      test = "Null"
      variable = "aws:ResourceTag/Owner"
      values = [
        "False"
      ]
    }
    condition {
      test     = "StringEquals"
      variable = "aws:PrincipalAccount"

      values = [
        local.environment_management.account_ids["core-shared-services-production"]
      ]
    }

How do I use this feature

To take advantage of this feature, a PR will need to be raised on the modernisation platform repository to grant your team access to the instance management role on the core shared services account by amending the following file core-shared-services-environment and add in your sso_group_name see example below. As this is only affecting the core-shared-services account existing uses of the instance management role will not be affected by the ABAC resource restrictions.

{
  "account-type": "core",
  "environments": [
    {
      "name": "production",
      "access": [
        {
          "sso_group_name": "modernisation-platform",
          "level": "instance-management"
        }
      ]
    }
  ],
  "tags": {
    "application": "modernisation-platform",
    "business-unit": "Platforms",
    "infrastructure-support": "modernisation-platform@digital.justice.gov.uk",
    "owner": "Modernisation Platform: modernisation-platform@digital.justice.gov.uk"
  },
  "github-oidc-team-repositories": [""]
}

References

Below are links to AWS documentation that talk about ABAC implementation.

Configure AWS IAM Identity Center ABAC

Last reviewed: 17 February 2026Review status: ✓ Up to dateOwner: #modernisation-platformSource: View source on GitHub

Was this page useful?