Data perimeters on AWS

What is a data perimeter?

A data perimeter is a set of preventive guardrails in your AWS environment you use to help ensure that only your trusted identities are accessing trusted resources from expected networks. Data perimeter guardrails are meant to serve as always-on boundaries to help protect your data across a broad set of AWS accounts and resources. These organization-wide guardrails do not replace your existing fine-grained access controls. Instead, they help improve your security strategy by ensuring that all AWS Identity and Access Management (IAM) users, roles, and resources adhere to a set of defined security standards.

Trusted identities: Principals (IAM roles or users) within your AWS accounts, or AWS services acting on your behalf.

Trusted resources: Resources owned by your AWS accounts or by AWS services acting on your behalf.

Expected networks: Your on-premises data centers and virtual private clouds (VPCs), or networks of AWS services acting on your behalf.

Building a data perimeter in AWS (36:50)

Establish an organization-wide data perimeter

You can establish a data perimeter by using permissions guardrails that restrict access outside of an organization boundary, typically your organization created by using AWS Organizations. These are the three primary AWS capabilities used to establish a data perimeter on AWS:

  • Resource-based policies: Policies attached to resources. For example, you can attach resource-based policies to Amazon Simple Storage Service (Amazon S3) buckets, Amazon Simple Queue Service (Amazon SQS) queues, and AWS Key Management Service (AWS KMS) encryption keys. For a list of services that support resource-based policies, see AWS services that work with IAM. Resource-based policies filter access based on the calling principal and the network from which the principal is making a call.
  • Service control policies (SCPs): Organization policies that you can use to establish the maximum available permissions for your principals (IAM roles or users) within your organization. SCPs restrict your identities from accessing resources out of your control or outside of your network. 
  • VPC endpoint policies: Policies that you attach to VPC endpoints to control which principals, actions, and resources can be accessed by using a VPC endpoint. For a list of services that support VPC endpoints and VPC endpoint policies, see AWS services that integrate with AWS PrivateLink. VPC endpoint policies seamlessly inspect the principal making the API call and the resource the principal is trying to access. 

How it works

To establish data perimeters, define your control objectives first and implement those objectives by using resource-based policies, service control policies, and VPC endpoint policies. Then, apply these policies as data perimeter guardrails within your AWS organization.

An image showing how data perimeters work


Meet security and compliance requirements

Implement organization-wide permissions guardrails that help prevent AWS accounts, organizational units, or an entire organization from taking actions that do not meet your security and compliance policies. By using preventive controls, you can establish that only your trusted identities are accessing trusted resources from expected networks.

Improve your data loss prevention strategies

Use data perimeters in your data loss prevention strategies to detect and help prevent intentional or unintentional transfers of sensitive information for unauthorized use. Data perimeters provide cloud-native preventive controls to restrict access to trusted identities accessing sensitive data as you intend.

Establish an organization-wide data perimeter

With an organization-wide data perimeter in place, you can start by granting broader permissions to developers to get them started quickly on their projects. After the workload is well defined, work your way toward specific permissions and least privilege.

Use cases

Allow data access to only those you want to have access

Establish an organization-wide data perimeter to allow data access to only those you want to have access. For example, they can help you ensure that data is accessed only by your employees and only from your corporate network, including your on-premises data centers or VPCs. Also, they can help prevent resources from being shared with external roles and users.

Help protect sensitive information

Help protect sensitive information with organization-wide data perimeters. Also help prevent employees from using noncorporate credentials to access noncorporate resources, which could lead to intentional or unintentional data loss. Help ensure that your employees can access only company-approved data stores.

Help prevent credential use outside of your corporate environment

Help prevent employees from using corporate credentials outside of your corporate environment, including your on-premises data centers and VPCs. Create an organization-wide perimeter that helps prevent your identities from performing any actions outside of your corporate network.



AWS re:Inforce 2022 - Streamlining identity and access management for innovation (SEC207-L)


AWS re:Inforce 2022 - Establishing a data perimeter on AWS, featuring Vanguard (IAM304)


Building a data perimeter on AWS


Data perimeter workshop

GitHub repo

Data perimeter policy examples