Can I do that with policy? Understanding the AWS Service Authorization Reference

Source: AWS Security Blog

Author: Anshu Bathla

URL: https://aws.amazon.com/blogs/security/can-i-do-that-with-policy-understanding-the-aws-service-authorization-reference/

ONE SENTENCE SUMMARY:

AWS IAM policies only enforce controls using authorization-context data; use Service Authorization Reference to assess feasibility and alternatives.

MAIN POINTS:

1. Policy decisions rely on request context present during the API call.
2. PARC model structures context: Principal, Action, Resource, and Condition attributes.
3. IAM can validate metadata like encryption headers, not object contents or sizes.
4. Service Authorization Reference lists controllable actions, resource types, and condition keys.
5. Global condition keys work across services; service-specific keys apply to one service.
6. Feasibility hinges on whether a needed attribute exists as a condition key.
7. ec2:RunInstances offers different condition keys per affected resource type.
8. S3 PutObject can be denied when SSE header isn’t AES256.
9. Principal tags enable dynamic EC2 instance-type restrictions by requester cost center.
10. DynamoDB LeadingKeys supports per-user item access by matching partition key to ${aws:username}.

TAKEAWAYS:

1. Start every control design by checking the Service Authorization Reference condition keys.
2. Missing context fields (CIDR, ports, Lambda memory) require non-IAM governance mechanisms.
3. Combine preventive IAM controls with AWS Config, EventBridge, and automation for defense-in-depth.
4. Machine-readable authorization metadata can automate policy management and validation workflows.
5. Action-level nuance matters; the same service exposes different keys per API operation.