Data Perimeters: Conditional Access

Layered access control using multiple policies taking advantage context

Applying Risk Based Access Control is recommended for multi-layered critical applications to ensure that there are no configuration errors that leave resources exposed, to limit access only from where we expect accesses to reach, and only to the minimum required targets.

AWS stores useful information to use in IAM conditions inside session, so you can grant access in the right circumstances.

Criteria such as if the request comes from a range of IPs, or if it is being invoked from an account inside your organization, are conditions that you can attach to IAM policies.

Attribute Based Access Controls (ABAC)

For other applications that one must manage at scale, a good practice is using Attribute Based Access Controls (ABAC). If you use AWS IAM Identity Center (successor to AWS Single Sign-On) (free service) you can leverage its support for Session Tags to transfer attributes from your directory to AWS and use those attributes to determine access to different resources.

AWS IAM Identity Center (successor to AWS Single Sign-On) can use its own user repository, allows you to integrate directories such as Microsoft Active Directory, or external identity suppliers such as Okta, Auth0, Ping Identity, OneLogin and Azure AD.

AWS Blogs

Attribute-Based Access Control with IAM Identity Center (successor to AWS Single Sign-On)

Pricing

AWS IAM service is free and configuration of resource policies (such as bucket policies) have no additional cost.