Create permission policies for ABAC in IAM Identity Center
You can create permissions policies that determine who can access your AWS resources based on the configured attribute value. When you enable ABAC and specify attributes, IAM Identity Center passes the attribute value of the authenticated user into IAM for use in policy evaluation.
aws:PrincipalTag condition key
You can use access control attributes in your permission sets using the
                            aws:PrincipalTag condition key for creating access control
                        rules. For example, in the following policy you can tag all the resources in
                        your organization with their respective cost centers. You can also use a
                        single permission set that grants developers access to their cost center
                        resources. Now, whenever developers federate into the account using single
                        sign-on and their cost center attribute, they only get access to the
                        resources in their respective cost centers. As the team adds more developers
                        and resources to their project, you only have to tag resources with the
                        correct cost center. Then you pass cost center information in the AWS
                        session when developers federate into AWS accounts. As a result, as the
                        organization adds new resources and developers to the cost center,
                        developers can manage resources aligned to their cost centers without
                        needing any permission updates.
For more information, see aws:PrincipalTag and EC2: Start or stop instances based on matching principal and resource tags in the IAM User Guide.
If policies contain invalid attributes in their conditions, then the policy condition will fail and access will be denied. For more information, see Error 'An unexpected error has occurred' when a user tries to sign in using an external identity provider.