Companies that store and process data on Amazon Web Services (AWS) want to prevent transfers of that data to or from locations outside of their company’s control. This is to support security strategies, such as data loss prevention, or to comply with the terms and conditions set forth by various regulatory and privacy agreements. On AWS, a resource perimeter is a set of AWS Identity and Access Management (IAM) features and capabilities that you can use to build your defense-in-depth protection against unintended data transfers. In this third blog post of the Establishing a data perimeter on AWS series, we review the benefits and implementation considerations when you define your resource perimeter.

 <p>The resource perimeter is one of the three perimeters in the <a href="https://aws.amazon.com/identity/data-perimeters-on-aws/" target="_blank" rel="noopener">data perimeter</a> framework on AWS and has the following two control objectives:</p> <ul> <li><strong>My identities can access only trusted resources</strong> – This helps to ensure that IAM principals that belong to your <a href="https://aws.amazon.com/organizations/" target="_blank" rel="noopener">AWS Organizations</a> organization can access only the resources that you trust.</li> <li><strong>Only trusted resources can be accessed from my network</strong> – This helps to ensure that only resources that you trust can be accessed through expected networks, regardless of the principal that is making the API call.</li> </ul> <p>Trusted resources are the AWS resources, such as <a href="https://aws.amazon.com/s3/" target="_blank" rel="noopener">Amazon Simple Storage Service (Amazon S3)</a> buckets and objects or <a href="https://aws.amazon.com/sns/" target="_blank" rel="noopener">Amazon Simple Notification Service (Amazon SNS)</a> topics, that are owned by your organization and in which you store and process your data. Additionally, there are resources outside your organization that your identities or AWS services acting on your behalf might need to access. You will need to consider these access patterns when you define your resource perimeter.</p> <h2>Security risks addressed by the resource perimeter</h2> <p>The resource perimeter helps address three main security risks.</p> <p><strong>Unintended data disclosure through use of corporate credentials — </strong>Your developers might have a personal AWS account that is not part of your organization. In that account, they could configure a resource with a resource-based policy that allows their corporate credentials to interact with the resource. For example, they could write an S3 bucket policy that allows them to upload objects by using their corporate credentials. This could allow the intentional or unintentional transfer of data from your corporate environment — your on-premises network or virtual private cloud (VPC) — to their personal account. While you advance through your <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege" target="_blank" rel="noopener">least privilege journey</a>, you should make sure that access to untrusted resources is prohibited, regardless of the permissions granted by <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_identity-vs-resource.html" target="_blank" rel="noopener">identity-based policies</a> that are attached to your IAM principals. Figure 1 illustrates an unintended access pattern where your employee uses an identity from your organization to move data from your on-premises or AWS environment to an S3 bucket in a non-corporate AWS account.</p> <div id="attachment_28755" class="wp-caption aligncenter"> <img aria-describedby="caption-attachment-28755" src="https://infracom.com.sg/wp-content/uploads/2023/03/img1.jpg" alt="Figure 1: Unintended data transfer to an S3 bucket outside of your organization by your identities" width="760" class="size-full wp-image-28755"> <p id="caption-attachment-28755" class="wp-caption-text">Figure 1: Unintended data transfer to an S3 bucket outside of your organization by your identities</p> </div> <p><strong>Unintended data disclosure through non-corporate credentials usage — </strong>There is a risk that developers could introduce personal IAM credentials to your corporate network and attempt to move company data to personal AWS resources. We discussed this security risk in a previous blog post: <a href="https://aws.amazon.com/blogs/security/establishing-a-data-perimeter-on-aws-allow-only-trusted-identities-to-access-company-data/" target="_blank" rel="noopener">Establishing a data perimeter on AWS: Allow only trusted identities to access company data</a>. In that post, we described how to use the <span>aws:PrincipalOrgID</span> condition key to prevent the use of non-corporate credentials to move data into an untrusted location. In the current post, we will show you how to implement resource perimeter controls as a defense-in-depth approach to mitigate this risk.</p> <p><strong>Unintended data infiltration — </strong>There are situations where your developers might start the solution development process using commercial datasets, tooling, or software and decide to copy them from repositories, such as those hosted on public S3 buckets. This could introduce malicious components into your corporate environment, your on-premises network, or VPCs. Establishing the resource perimeter to only allow access to trusted resources from your network can help mitigate this risk. Figure 2 illustrates the access pattern where an employee with corporate credentials downloads assets from an S3 bucket outside of your organization.</p> <div id="attachment_28756" class="wp-caption aligncenter"> <img aria-describedby="caption-attachment-28756" src="https://infracom.com.sg/wp-content/uploads/2023/03/img2-1024x571-1.png" alt="Figure 2: Unintended data infiltration" width="760" class="size-large wp-image-28756"> <p id="caption-attachment-28756" class="wp-caption-text">Figure 2: Unintended data infiltration</p> </div> <h2>Implement the resource perimeter</h2> <p>To achieve the resource perimeter control objectives, you can implement guardrails in your AWS environment by using the following AWS policy types:</p> <ul> <li><a href="https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html" target="_blank" rel="noopener">Service control policies (SCPs</a>) – Organization policies that are used to centrally manage and set the maximum available permissions for your IAM principals. SCPs help you ensure that your accounts stay within your organization’s access control guidelines. In the context of the resource perimeter, you will use SCPs to help prevent access to untrusted resources from AWS principals that belong to your organization.</li> <li><a href="https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-access.html" target="_blank" rel="noopener">VPC endpoint policy</a> – An <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_identity-vs-resource.html" target="_blank" rel="noopener">IAM resource-based policy</a> that is attached to a VPC endpoint to control which principals, actions, and resources can be accessed through a VPC endpoint. In the context of the resource perimeter, VPC endpoint policies are used to validate that the resource the principal is trying to access belongs to your organization.</li> </ul> <p>The condition key used to constrain access to resources in your organization is <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourceorgid" target="_blank" rel="noopener">aws:ResourceOrgID</a>. You can set this key in an SCP or VPC endpoint policy. The following table summarizes the relationship between the control objectives and the AWS capabilities used to implement the resource perimeter.</p> <table width="100%"> <tbody> <tr> <td width="40%"><strong>Control objective</strong></td> <td width="25%"><strong>Implemented by using</strong></td> <td width="35%"><strong>Primary IAM capability</strong></td> </tr> <tr> <td width="40%">My identities can access only trusted resources</td> <td width="25%">SCPs</td> <td width="35%">aws:ResourceOrgID</td> </tr> <tr> <td width="40%">Only trusted resources can be accessed from my network</td> <td width="25%">VPC endpoint policies</td> <td width="35%">aws:ResourceOrgID</td> </tr> </tbody> </table> <p>In the next section, you will learn how to use the IAM capabilities listed in the preceding table to implement each control objective of the resource perimeter.</p> <h3>My identities can access only trusted resources</h3> <p>The following is an example of an SCP that limits all actions to only the resources that belong to your organization. Replace <span></span> with your information.</p> <div class="hide-language"> <pre class="unlimited-height-code"><code class="lang-text">{

“Version”: “2012-10-17”, “Statement”: [ { “Sid”: “EnforceResourcePerimeter”, “Effect”: “Deny”, “Action”: ““, “Resource”: ““, “Condition”: { “StringNotEqualsIfExists”: { “aws:ResourceOrgID”: “” } } } ]}

 In this policy, notice the use of the negated condition key <span>StringNotEqualsIfExists</span>. This means that this condition will evaluate to true and the policy will deny API calls if the organization identifier of the resource that is being accessed differs from the one specified in the policy. It also means that this policy will deny API calls if the resource being accessed belongs to a standalone account, which isn’t part of an organization. The negated condition operators in the Deny statement mean that the condition still evaluates to true if the key is not present in the request; however, as a best practice, I added <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_IfExists" target="_blank" rel="noopener">IfExists</a> to the end of the <span>StringNotEquals</span> operator to clearly express the intent in the policy.</p> <p>Note that for a permission to be allowed for a specific account, a statement that allows access must exist at every level of the hierarchy of your organization.</p> <h3>Only trusted resources can be accessed from my network</h3> <p>You can achieve this objective by combining the SCP we just reviewed with the use of <span>aws:PrincipalOrgID</span> in your VPC endpoint policies, as shown in the <a href="https://aws.amazon.com/blogs/security/establishing-a-data-perimeter-on-aws-allow-only-trusted-identities-to-access-company-data/" target="_blank" rel="noopener">Establishing a data perimeter on AWS: Allow only trusted identities to access company data</a> blog post. However, as a defense in depth, you can also apply resource perimeter controls on your networks by using <span>aws:ResourceOrgID</span> in your VPC endpoint policies.</p> <p>The following is an example of a VPC endpoint policy that allows access to all actions but limits access to only trusted resources and identities that belong to your organization. Replace <span></span> with your information.</p> <div class="hide-language"> <pre class="unlimited-height-code"><code class="lang-text">{"Version": "2012-10-17","Statement": [ { "Sid": "AllowRequestsByOrgsIdentitiesToOrgsResources", "Effect": "Allow", "Principal": { "AWS": "<em>" }, "Action": "</em>", "Resource": "<em>", "Condition": { "StringEquals": { "aws:PrincipalOrgID": "<span></span>", "aws:ResourceOrgID": "<span></span>" } } }]

}

The StringEquals situation controller is used in the previous VPC terminal policy. The primary making the API contact and the resource they are trying to see must both be members of your organization in order to raise the Allow effect. Your goal for this policy is different from the SCP instance we reviewed earlier; you want to ensure that the Allow condition just evaluates to true if the specific key is present in the request. Principals may also be subject to VPC terminal policies as long as their request passes through the system.

In VPC terminal policies, you specify the maximum amount of network access rather than granting permissions. As a result, this plan makes use of an Allow results.

Increase the size of your asset pool.

Your personalities and networks can only be used to see AWS resources that are specific to your organization, thanks to the following two policies. Your business may, however, demand that you expand your asset base to include AWS-owned resources — resources that are accessible to your principals or to services working on your behalf but are not part of your business. For instance, if you use the AWS Service Catalog in your atmosphere, the system will create and use its own Amazon S3 containers to hold goods. Your source perimeter needs to take into account this access pattern in order for your developers to effectively requirement AWS Service Catalog products. The announcement that follows explains how to take the system library access pattern into account. Add your content in a new place.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "EnforceResourcePerimeter", "Effect": "Deny", "NotAction": [ "s3:GetObject", "s3:PutObject", "s3:PutObjectAcl" ], "Resource": "", "Condition": { "StringNotEqualsIfExists": { "aws:ResourceOrgID": "" } } }, { "Sid": "ExtendResourcePerimeter", "Effect": "Deny", "Action": [ "s3:GetObject", "s3:PutObject", "s3:PutObjectAcl" ], "Resource": [ "" ], "Condition": { "StringNotEqualsIfExists": { "aws:ResourceOrgID": "" }, "ForAllValues:StringNotEquals": { "aws:CalledVia": [ "servicecatalog.amazonaws.com" ] } } } ]}

Take note that the SCP’s EnforceResourcePerimeter statement has been modified to no longer include the actions s3: GetObject, acl actions, and putObject from its effect ( NotAction element ). This is due to the Service Catalog’s use of these things to gain access to service-owned S3 pots. These actions are now restricted in the ExtendResourcePerimeter speech, which includes two negated situation keys. The second statement denies the previously mentioned S3 actions unless the resource that is being accessed belongs to your organization( StringNotEqualsIfExists with aws: ResourceOrgID ), or the actions are performed by Service Catalog on your behalf( ForAllValues: StringNotEquals with aws: CalledVia ). The aws: CalledVia status code compares the services specified in the plan with the services that made requests on behalf of the IAM primary by using that principal’s credentials. In the case of the Service Catalog, the qualifications of a director who launches a material are used to see S3 containers that are owned by the Service Catalog.

It is important to show that we are consciously not using the aws: ViaAWSService situation key in the preceding policy. This is because when you extend your aid boundary, we recommend that you restrict access to just calls to buckets that are accessed by the service you are using.

You might also need to increase your source perimeter to include the next – party resources of your partners. For instance, you could be working with business partners that require your leaders to upload or download content to or from S3 containers that belong to their accounts. In this case, you can use the aws: ResourceAccount situation essential in your resource perimeter policy to define resources that belong to the trusted third – party account.

The following is an example of an SCP that accounts for entry to the Service Catalog and next – party associate resources. Remove and with your content.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "EnforceResourcePerimeter", "Effect": "Deny", "NotAction": [ "s3:GetObject", "s3:PutObject", "s3:PutObjectAcl" ], "Resource": "", "Condition": { "StringNotEqualsIfExists": { "aws:ResourceOrgID": "" } } }, { "Sid": "ExtendResourcePerimeter", "Effect": "Deny", "Action": [ "s3:GetObject", "s3:PutObject", "s3:PutObjectAcl" ], "Resource": [ "" ], "Condition": { "StringNotEqualsIfExists": { "aws:ResourceOrgID": "", "aws:ResourceAccount": "" }, "ForAllValues:StringNotEquals": { "aws:CalledVia": [ "servicecatalog.amazonaws.com" ] } } } ]}

To account for access to trusted third – party account resources, the condition StringNotEqualsIfExists in the ExtendResourcePerimeter statement next also contains the condition important aws: ResourceAccount. Now, the second statement denies the previously mentioned S3 actions unless the resource that is being accessed belongs to your organization( StringNotEqualsIfExists with aws: ResourceOrgID ), to a trusted third – party account( StringNotEqualsIfExists with aws: ResourceAccount ), or the actions are performed by Service Catalog on your behalf( ForAllValues: StringNotEquals with aws: CalledVia ).

The last plan example demonstrates how to increase your resource perimeter to enable access to resources that are owned by your trusted third parties through the networks that you control. This is required if applications running in your VPC or on – premises need to be able to see a database that is created and maintained in your business associate AWS accounts. Similar to the SCP examples, you can use the aws: ResourceAccount condition essential in your VPC termination plan to account for this access pattern. Upgrade,, and with your info.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowRequestsByOrgsIdentitiesToOrgsResources", "Effect": "Allow", "Principal": { "AWS": "" }, "Action": "", "Resource": "", "Condition": { "StringEquals": { "aws:PrincipalOrgID": "", "aws:ResourceOrgID": "" } } }, { "Sid": "AllowRequestsByOrgsIdentitiesToThirdPartyResources", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": [ "s3:GetObject", "s3:PutObject", "s3:PutObjectAcl" ], "Resource": [ "" ], "Condition": { "StringEquals": { "aws:PrincipalOrgID": "", "aws:ResourceAccount": [ "" ] } } } ]}

The second statement, AllowRequestsByOrgsIdentitiesToThirdPartyResources, in the updated VPC endpoint policy allows s3: GetObject, s3: PutObject, and s3: PutObjectAcl actions on trusted third – party resources( StringEquals with aws: ResourceAccount ) by principals that belong to your organization( StringEquals with aws: PrincipalOrgID ).

Note that you do not need to change your VPC terminal plan to sustain the previously discussed Service Catalog activities. This is because calls to Amazon S3 made by Service Catalog on your behalf emerge from the Service Catalog support system and do not cover your VPC endpoint. However, when defining your trusted resources, you should take get patterns that resemble the Service Catalog example into account. Visit the Examples of IAM insurance area later in this post to learn more about services with comparable access patterns.

Level up the source perimeter deployment

Allowing only trusted names to access company data blog posts is recommended for deploying a details boundary at level. The information on how to accomplish this for your business is provided in the section titled Deploying the identification boundary at scale.

Examples of IAM insurance

Our GitHub repository contains policy examples that illustrate how to implement perimeter controls for a variety of AWS services. The policy examples in the repository are for reference only. You will need to tailor them to suit the specific needs of your AWS environment.

Conclusion

You learned about the source boundary, the manage objectives it achieves, and how to create SCPs and VPC terminal policies to support these goals for your company in this blog post. Additionally, you discovered how to expand your margin to contain resources owned by AWS services and those of your third-party companion.

Watch the Information perimeters on the AWS page for more learning opportunities. Other materials like a content margin shop, blog posts, whitepapers, and webinar sessions are offered by this information resource.

If you have any inquiries, remarks, or considerations, please get in touch with AWS Support or look up aWS re: Post. Please leave feedback in the Comments section here if you have any comment on this article.

Need to learn more about AWS Security? Become our Twitter follower.

 <!-- '"` -->