Abstract: Resource state validation may be performed for access management policies by an identity and access management system. An access management policy associated with an account for network-based services may be received and validated according to resource state obtained for resources associated with the account. A correction for a portion of the access management policy may be identified according to the validation and provided via an interface for the identity and access management system.

Abstract: Methods, systems, and computer-readable media for analysis of role reachability using policy complements are disclosed. An access control analyzer determines two nodes in a graph that potentially have a common edge. The nodes correspond to roles in a provider network, and the roles are associated with first and second access control policies that grant or deny access to resources. The access control analyzer performs a role reachability analysis that determines whether the first role can assume the second role for a particular state of one or more key-value tags. The role reachability analysis determines a third access control policy authorizing a negation of a role assumption request for the second role. The role reachability analysis performs analysis of the third access control policy with respect to a role assumption policy for the second role for the particular state of the one or more key-value tags.

Abstract: Methods, systems, and computer-readable media for generating access control policies using static analysis are disclosed. An access control policy generator performs static analysis of program code of a software product. The static analysis identifies one or more calls to one or more external components in the program code. The access control policy generator determines a mapping of the one or more calls to one or more actions. The one or more actions are selected from a plurality of known actions supported by an access control policy manager. The access control policy generator generates an access control policy associated with the software product. The access control policy comprises one or more permissions with respect to the one or more external components. The access control policy permits the software product to access the plurality of external components using the access control policy manager during execution of the software product.

Abstract: Techniques for intent-based access control are described. A method of intent-based access control may include receiving, via a user interface of an intent-based governance service, one or more intent statements associated with user resources in a provider network, the one or more intent statements expressing at least one type of action allowed to be performed on the user resources, compiling the one or more intent statements into at least one access control policy, and associating the at least one access control policy with the user resources.

Abstract: Techniques are described for generating a specification of security-relevant behavior associated with web services of a cloud provider network. Source code or software development artifacts associated with an implementation of a web service is obtained, where the source code of software development artifacts include an implementation of a request handler for an action of the service. The request handler includes a request authorization component, e.g., which may involve interaction with an identity and access management service of the cloud provider network to authenticate and authorize requests and may further rely upon one or more authorization contexts included in the requests received by the request handler. An interprocedural data flow analyzer is used to analyze a model representation of the bytecode to identify and generate specifications of authorization patterns associated with the request handler.

Abstract: Access management policies may be generated from example requests. An access management policy may be received. One or more example requests that have expected results when evaluated with respect to the access management policy may be received. Updates to the access management policy may be determined that cause the expected results to occur when a new version of the access management policy based on the updates is enforced. The new version of the access management policy may be generated based on the updates.

Abstract: Techniques are described for using compositional reasoning techniques to perform role reachability analyses relative to collections of user accounts and roles of a cloud provider network. Delegated role-based resource management generally is a method for controlling access to resources in cloud provider networks and other distributed systems. Many cloud provider networks, for example, implement identity and access management subsystems using this approach, where the concept of “roles” is used to specify which resources can be accessed by people, software, or (recursively) by other roles. An abstraction of the role reachability analysis is provided that can be used as input to a model-checking application to reason about such role reachability questions (e.g., which roles of an organization are reachable from other roles).

Abstract: Resource state validation may be performed for access management policies by an identity and access management system. An access management policy associated with an account for network-based services may be received and validated according to resource state obtained for resources associated with the account. A correction for a portion of the access management policy may be identified according to the validation and provided via an interface for the identity and access management system.

Abstract: Methods, systems, and computer-readable media for analysis of role reachability using policy complements are disclosed. An access control analyzer determines two nodes in a graph that potentially have a common edge. The nodes correspond to roles in a provider network, and the roles are associated with first and second access control policies that grant or deny access to resources. The access control analyzer performs a role reachability analysis that determines whether the first role can assume the second role for a particular state of one or more key-value tags. The role reachability analysis determines a third access control policy authorizing a negation of a role assumption request for the second role. The role reachability analysis performs analysis of the third access control policy with respect to a role assumption policy for the second role for the particular state of the one or more key-value tags.

Abstract: Techniques for intent-based access control are described. A method of intent-based access control may include receiving, via a user interface of an intent-based governance service, one or more intent statements associated with user resources in a provider network, the one or more intent statements expressing at least one type of action allowed to be performed on the user resources, compiling the one or more intent statements into at least one access control policy, and associating the at least one access control policy with the user resources.

Abstract: Methods, systems, and computer-readable media for analysis of role reachability with transitive tags are disclosed. An access control analyzer determines a graph comprising a plurality of nodes and one or more edges. The nodes represent roles in a provider network hosting resources. The roles are associated with access control policies granting or denying access to individual resources. One or more of the access control policies grant or deny access based (at least in part) on one or more key-value attributes. The access control analyzer determines, based (at least in part) on a role reachability analysis of the graph, whether a first role can assume a second role using one or more role assumption steps for a particular state of the one or more attributes. The one or more attributes may comprise one or more transitive attributes that persist during the one or more role assumption steps.

Abstract: Techniques are described for using compositional reasoning techniques to perform role reachability analyses relative to collections of user accounts and roles of a cloud provider network. Delegated role-based resource management generally is a method for controlling access to resources in cloud provider networks and other distributed systems. Many cloud provider networks, for example, implement identity and access management subsystems using this approach, where the concept of “roles” is used to specify which resources can be accessed by people, software, or (recursively) by other roles. An abstraction of the role reachability analysis is provided that can be used as input to a model-checking application to reason about such role reachability questions (e.g., which roles of an organization are reachable from other roles).

Abstract: Resource state validation may be performed for access management policies by an identity and access management system. An access management policy associated with an account for network-based services may be received and validated according to resource state obtained for resources associated with the account. A correction for a portion of the access management policy may be identified according to the validation and provided via an interface for the identity and access management system.