Contact Us
Home
Access Control Policy

Access Control Policy

Last updated: August 6, 2025

Overview

To define standardized procedures and controls for granting, monitoring, and revoking access to AWS resources in alignment with AWS Identity and Access Management best practices.

Audience

All BizCloud Experts stakeholders involved in AWS operations, including:

  • IAM Administrators and Security Team members

  • Developers and System Operators

  • Contractors and Third-Party Service Providers

Purpose

This policy defines how AMS manages permissions to AWS resources using AWS Identity and Access Management (IAM), ensuring secure, consistent, and auditable access in accordance with AWS best practices (AWS IAM User Guide).

Scope

Applies to all BizCloud Experts AWS accounts, resources, and entities (users, applications, services) requiring access to AWS via IAM.

Key Concepts & Policy Types

  • Identity-based Policies

    JSON documents attached to IAM users, groups, or roles that grant or deny permissions.

  • Resource-based Policies

    Policies attached directly to AWS resources (e.g., S3 bucket policies, Lambda resource policies) specifying who can access the resource and under what conditions

  • Permissions Boundaries

    Define the maximum permissions an IAM entity can obtain, preventing privilege escalation

  • Service Control Policies (SCPs)

    Organization-level policies that set permission guardrails across AWS Organizations accounts, limiting allowed actions even if identity-based policies grant them

Policy Structure & Evaluation

  • Policy Elements

    • Version: Policy language version.

    • Statement: One or more permission statements with fields:

      1. Sid (optional): Identifier for the statement.

      2. Effect: Allow or Deny.

      3. Action / NotAction: API operations covered.

      4. Resource / NotResource: ARN(s) of AWS resources.

    • Condition: Contextual controls (e.g., MFA, IP address).

  • Evaluation Logic

    • SCPs evaluated first to enforce organization-wide guardrails.

    • Identity-based policies evaluated next.

    • Resource-based policies evaluated last.

    • An explicit Deny in any policy overrides all Allow statements.

    • If no statements apply, access is implicitly denied.

Principles & Best Practices

  • Least Privilege

    • Begin with no permissions and grant only what’s necessary.

    • Narrow scope using Action, Resource, and Condition.

  • Explicit Deny for Sensitive Operations

    • Deny high-risk actions (e.g., iam:DeleteUser) via dedicated statements.

  • Use Managed Policies

    • Leverage AWS-managed policies for standard roles.

    • Maintain custom, version-controlled “BizCloud Experts–managed” policies.

  • Role-Based Access Control (RBAC)

    • Assign permissions to groups and roles, not individual users.

  • Permissions Boundaries for Contractors

    • Cap contractor role privileges to prevent escalation.

  • Attribute-Based Access Control (ABAC)

    • Use resource tags (aws:ResourceTag/${TagKey}) in policy conditions to scale permissions.

  • MFA Enforcement

    • Require MFA via a Condition block (BoolIfExists: aws:MultiFactorAuthPresent) for sensitive operations.

Authentication & Credential Management

  • MFA Enforcement

    • Mandatory for all IAM users with console/API access.

  • Temporary Credentials

    • Prefer IAM roles and AWS STS over long-lived access keys; rotate any remaining keys every 90 days.

  • Root Account Protection

    • Remove root access keys; store credentials offline; enforce MFA.

Access Provisioning & Lifecycle

  • Role Creation

    • Use scoped managed/custom policies.

    • For cross-account scenarios, configure minimal trust policies.

  • Policy Authoring

    • Employ AWS policy grammar and least-privilege templates (e.g., AWS Policy Generator).

  • Onboarding/Offboarding

    • Automate via AWS SSO or IAM Identity Center; revoke access within 24 hours of departure.

Governance & Continuous Compliance

  • AWS Organizations & SCPs

    • Structure accounts into Organizational Units (OUs); apply SCPs per OU (e.g., restrict ec2:RunInstances to approved instance types).

  • IAM Access Analyzer

    • Regularly detect unintended public or cross-account access.

  • Automated Auditing

    • Enable CloudTrail in all regions; aggregate logs centrally.

    • Use AWS Config to continuously validate policy drift.

Monitoring & Incident Response

  • Monitoring

    • Track IAM events via CloudTrail, CloudWatch Events, and Security Hub.

    • Alert on suspicious actions (e.g., new policy creation, privilege escalations).

  • Incident Response

    • Revoke compromised credentials immediately.

    • Rotate keys and revoke active sessions.

    • Review CloudTrail for root cause.

    • Follow the BizCloud Experts Incident Response Plan.

Exceptions & Reviews

  • Exception Handling

    • Document exceptions in the ticketing system with Security and Architecture approval; set quarterly expiry.

  • Periodic Access Reviews

    • Validate active users, roles, groups, and remove unused permissions.

Enforcement

Non-compliance may result in access suspension, disciplinary action, or policy revisions. All violations are reported to Senior Management.

Review Cycle

This policy will be reviewed annually or following significant AWS IAM feature updates.