{
	"id": "1aecd6c8-f3c6-494c-b29e-e5dc1c824a8a",
	"created_at": "2026-04-06T00:11:59.504723Z",
	"updated_at": "2026-04-10T03:23:52.368803Z",
	"deleted_at": null,
	"sha1_hash": "d64eb6efed5f909f1149e8a60a47e64850bfc602",
	"title": "Data Perimeters on AWS",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 362087,
	"plain_text": "Data Perimeters on AWS\r\nArchived: 2026-04-05 15:47:51 UTC\r\nHome\r\nAWS Identity\r\nData perimeters on AWS\r\nWhat is a data perimeter?\r\nA data perimeter is a set of permissions guardrails in your AWS environment you use to help ensure that only your\r\ntrusted identities are accessing trusted resources from expected networks. Data perimeter guardrails are meant to\r\nserve as always-on boundaries to help protect your data across a broad set of AWS accounts and resources. These\r\norganization-wide guardrails do not replace your existing fine grained access controls. Instead, they help improve\r\nyour security strategy by ensuring that all AWS Identity and Access Management (IAM) users, roles, and\r\nresources adhere to a set of defined security standards. Data perimeter guardrails work alongside AWS Well-Architected Framework security design principles and other security best practices to strengthen your overall\r\nsecurity posture.\r\nExplore data perimeters in AWS Identity and Access Management (IAM) documentation.\r\nConsult the Data perimeter policy examples GitHub repo for service specific considerations when\r\nimplementing data perimeters in your environment.\r\nLearn from customers implementations of data perimeter controls for specific use cases.\r\nHow it works\r\nTo establish data perimeters, define your control objectives first and implement those objectives by using service\r\ncontrol policies (SCPs), resource control policies (RCPs), and VPC endpoint policies. Then, apply these policies\r\nas data perimeter guardrails in your AWS organization.\r\nhttps://aws.amazon.com/identity/data-perimeters-on-aws/\r\nPage 1 of 4\n\nData perimeter control objectives and capabilities\r\nData perimeter coarse-grained controls help you achieve six distinct security objectives through the\r\nimplementation of different combinations of IAM policy types and condition keys.\r\nBenefits\r\nMeet security and compliance requirements\r\nImplement organization-wide permissions guardrails that help prevent AWS accounts, organizational units, or an\r\nentire organization from taking actions that do not meet your security and compliance policies. By using\r\npreventive controls, you can establish that only your trusted identities are accessing trusted resources from\r\nexpected networks.\r\nImprove your data loss prevention strategies\r\nUse data perimeters in your data loss prevention strategies to detect and help prevent intentional or unintentional\r\ntransfers of sensitive information for unauthorized use. Data perimeters provide cloud-native preventive controls\r\nto restrict access to trusted identities accessing sensitive data as you intend.\r\nEstablish an organization-wide data perimeter\r\nWith an organization-wide data perimeter in place, you can start by granting broader permissions to developers to\r\nget them started quickly on their projects. After the workload is well defined, work your way toward specific\r\npermissions and least privilege.\r\nUse cases\r\nAllow data access to only those you want to have access\r\nhttps://aws.amazon.com/identity/data-perimeters-on-aws/\r\nPage 2 of 4\n\nEstablish an organization-wide data perimeter to allow data access to only those you want to have access. For\r\nexample, they can help you ensure that data is accessed only by your employees and only from your corporate\r\nnetwork, including your on-premises data centers or VPCs. Also, they can help prevent resources from being\r\nshared with external roles and users.\r\nHelp protect sensitive information\r\nHelp protect sensitive information with organization-wide data perimeters. Also help prevent employees from\r\nusing non-corporate credentials to access non-corporate resources, which could lead to intentional or unintentional\r\ndata loss. Help ensure that your employees can access only company-approved data stores.\r\nHelp prevent credential use outside of your corporate environment\r\nHelp prevent employees from using corporate credentials outside of your corporate environment, including your\r\non-premises data centers and VPCs. Create an organization-wide perimeter that helps prevent your identities from\r\nperforming any actions outside of your corporate network.\r\nResources\r\nTechnical documentation\r\nTech talk\r\nBuilding a data perimeter on AWS\r\nWatch now »\r\nWhitepaper\r\nBuilding a data perimeter on AWS\r\nRead now »\r\nGitHub repo\r\nData perimeter policy examples\r\nRead now »\r\nBlogs\r\nBlog Post Series: Establishing a Data Perimeter on AWS\r\nThe purpose of the Data Perimeters Blog Post Series is to provide prescriptive guidance about establishing your\r\ndata perimeter at scale, including key security and implementation considerations. These blog posts cover in depth\r\nhttps://aws.amazon.com/identity/data-perimeters-on-aws/\r\nPage 3 of 4\n\nthe objectives and foundational elements needed to enforce identity, resource, and network data perimeters and\r\nhow to use a risk-based approach to apply the relevant controls.\r\nCustomer use cases\r\nVideo\r\nAWS re:Inforce 2025 - Establishing a data perimeter on AWS, featuring Block, Inc. (IAM305)\r\nWatch now »\r\nVideo\r\nAWS re:Inforce 2024 - Establishing a data perimeter on AWS, featuring Capital One (IAM305)\r\nWatch now »\r\nVideo\r\nAWS re:Inforce 2023 - Establishing a data perimeter on AWS, featuring USAA (IAM301)\r\nWatch now »\r\nDocument\r\nAWS re:Invent 2022 - Establishing a data perimeter on AWS, featuring Goldman Sachs (SEC326)\r\nRead now »\r\nVideo\r\nAWS re:Inforce 2022 - Establishing a data perimeter on AWS, featuring Vanguard (IAM304)\r\nWatch now »\r\nHands-on activities\r\nSource: https://aws.amazon.com/identity/data-perimeters-on-aws/\r\nhttps://aws.amazon.com/identity/data-perimeters-on-aws/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://aws.amazon.com/identity/data-perimeters-on-aws/"
	],
	"report_names": [
		"data-perimeters-on-aws"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434319,
	"ts_updated_at": 1775791432,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d64eb6efed5f909f1149e8a60a47e64850bfc602.pdf",
		"text": "https://archive.orkl.eu/d64eb6efed5f909f1149e8a60a47e64850bfc602.txt",
		"img": "https://archive.orkl.eu/d64eb6efed5f909f1149e8a60a47e64850bfc602.jpg"
	}
}