AWS Data perimeter is a preventive security tactic that helps ensure that only trusted identities and resources have access to your data and services, and can be accessed from known networks only. Data perimeter significantly reduces the attack surface.
- Trusted identities – Principals (IAM roles or users) within your AWS accounts, or AWS services that are acting on your behalf
- Trusted resources – Resources that are owned by your AWS accounts, or by AWS services that are acting on your behalf
- Expected networks – Your on-premises data centers and virtual private clouds (VPCs), or networks of AWS services that are acting on your behalf
There are three places where the rules are enforced:
- Service Control Policies (SCP), available in AWS organization
- Resource-based policies
- VPC endpoint policies.
A sample resource based policy which can be attached to an S3 bucket is shown below. Access to S3 is denied if the Principal is not the expected Org or not belong to third-party trusted account or not from another AWS service such as CloudTrail.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EnforceIdentityPerimeter",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::<EXAMPLE-BUCKET>",
"arn:aws:s3:::<EXAMPLE-BUCKET>/*"
],
"Condition": {
"StringNotEqualsIfExists": {
"aws:PrincipalOrgID": "<MY-ORG-ID>",
"aws:PrincipalAccount": [
"<THIRD-PARTY-ACCOUNT-A>",
"<THIRD-PARTY-ACCOUNT-B>"
]
},
"BoolIfExists": {
"aws:PrincipalIsAWSService": "false"
}
}
}
]
}
Depending on the the use-case, the following could be used while authoring a security policy:
aws:PrincipalOrgID, aws:ResourceOrgID,
aws:SourceIp, aws:SourceVpc, aws:SourceVpce
aws:PrincipalIsAWSService, aws:ViaAWSService
aws:PrincipalOrgPaths and aws:PrincipalAccount