What is a data perimeter?
A data perimeter is a set of preventive guardrails in your Amazon Web Services environment you use to help ensure that only your trusted identities are accessing trusted resources from expected networks. Data perimeter guardrails are meant to serve as always-on boundaries to help protect your data across a broad set of Amazon Web Services accounts and resources. These organization-wide guardrails do not replace your existing fine-grained access controls. Instead, they help improve your security strategy by ensuring that all Amazon Identity and Access Management (IAM) users, roles, and resources adhere to a set of defined security standards.
Trusted identities: Principals (IAM roles or users) within your Amazon Web Services accounts, or Amazon Web Services services acting on your behalf.
Trusted resources: Resources owned by your Amazon Web Services accounts or by Amazon Web Services services acting on your behalf.
Expected networks: Your on-premises data centers and virtual private clouds (VPCs), or networks of Amazon Web Services services acting on your behalf.
Establish an organization-wide data perimeter
You can establish a data perimeter by using permissions guardrails that restrict access outside of an organization boundary, typically your organization created by using Amazon Organizations. These are the three primary Amazon Web Services capabilities used to establish a data perimeter on Amazon Web Services Cloud:
- Resource-based policies: Policies attached to resources. For example, you can attach resource-based policies to Amazon Simple Storage Service (Amazon S3) buckets, Amazon Simple Queue Service (Amazon SQS) queues, and Amazon Key Management Service (KMS) encryption keys. For a list of services that support resource-based policies, see Amazon Web Services services that work with IAM. Resource-based policies filter access based on the calling principal and the network from which the principal is making a call.
- Service control policies (SCPs): Organization policies that you can use to establish the maximum available permissions for your principals (IAM roles or users) within your organization. SCPs restrict your identities from accessing resources out of your control or outside of your network.
- VPC endpoint policies: Policies that you attach to VPC endpoints to control which principals, actions, and resources can be accessed by using a VPC endpoint. For a list of services that support VPC endpoints and VPC endpoint policies, see Amazon Web Services services that integrate with Amazon PrivateLink. VPC endpoint policies seamlessly inspect the principal making the API call and the resource the principal is trying to access.
How it works
To establish data perimeters, define your control objectives first and implement those objectives by using resource-based policies, service control policies, and VPC endpoint policies. Then, apply these policies as data perimeter guardrails within your organization.
Benefits
Meet security and compliance requirements
Implement organization-wide permissions guardrails that help prevent Amazon Web Services accounts, organizational units, or an entire organization from taking actions that do not meet your security and compliance policies. By using preventive controls, you can establish that only your trusted identities are accessing trusted resources from expected networks.
Improve your data loss prevention strategies
Use data perimeters in your data loss prevention strategies to detect and help prevent intentional or unintentional transfers of sensitive information for unauthorized use. Data perimeters provide cloud-native preventive controls to restrict access to trusted identities accessing sensitive data as you intend.
Establish an organization-wide data perimeter
With an organization-wide data perimeter in place, you can start by granting broader permissions to developers to get them started quickly on their projects. After the workload is well defined, work your way toward specific permissions and least privilege.
Use cases
Allow data access to only those you want to have access
Establish an organization-wide data perimeter to allow data access to only those you want to have access. For example, they can help you ensure that data is accessed only by your employees and only from your corporate network, including your on-premises data centers or VPCs. Also, they can help prevent resources from being shared with external roles and users.
Help protect sensitive information
Help protect sensitive information with organization-wide data perimeters. Also help prevent employees from using noncorporate credentials to access noncorporate resources, which could lead to intentional or unintentional data loss. Help ensure that your employees can access only company-approved data stores.
Help prevent credential use outside of your corporate environment
Help prevent employees from using corporate credentials outside of your corporate environment, including your on-premises data centers and VPCs. Create an organization-wide perimeter that helps prevent your identities from performing any actions outside of your corporate network.
Resources
Blogs
Establishing a data perimeter on Amazon Web Services Cloud: Overview
by Ilya Epshteyn, 05/10/2022
Establishing a data perimeter on Amazon Web Services Cloud: Allow only trusted resources from my organization
by Laura Reith and Tatyana Yatskevich, 03/09/2023
Establishing a data perimeter on Amazon Web Services Cloud: Allow only trusted identities to access company data
by Tatyana Yatskevich, 11/23/2022
IAM makes it easier for you to manage permissions for Amazon Web Services services accessing your resources
by Ilya Epshteyn and Harsha Sharma, 05/04/2021