A Formal Approach for the Verification of AWS IAM Access Control Policies

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10465)


Cloud computing offers elastic, scalable and on-demand network access to a shared pool of computing resources, such as storage, computation and others. Resources can be rapidly and elastically provisioned and the users pay for what they use. One of the major challenges in Cloud computing adoption is security and in this paper we address one important security aspect, the Cloud authorization. We have provided a formal Attribute Based Access Control (ABAC) model, that is based on Event-Calculus and is able to model and verify Amazon Web Services (AWS) Identity and Access Management (IAM) policies. The proposed approach is expressive and extensible. We have provided generic Event-Calculus modes and provided tool support to automatically convert JSON based IAM policies in Event-Calculus. We have also presented performance evaluation results on actual IAM policies to justify the scalability and practicality of the approach.


AWS cloud IAM Access control Verification Event-Calculus 


  1. 1.
    Yu, S., Wang, C., Ren, K., Lou, W.: Achieving secure, scalable, and fine-grained data access control in cloud computing. In: INFOCOM 2010, pp. 534–542Google Scholar
  2. 2.
    Zhu, Y., Huang, D., Hu, C., Wang, X.: From RBAC to ABAC: constructing flexible data access control for cloud storage services. IEEE Trans. Serv. Comput. 8(4), 601–616 (2015)CrossRefGoogle Scholar
  3. 3.
    Yang, K., Jia, X.: Expressive, efficient, and revocable data access control for multi-authority cloud storage. IEEE Trans. Parallel Distrib. Syst. 25(7), 1735–1744 (2014)CrossRefGoogle Scholar
  4. 4.
    He, H., Li, R., Dong, X., Zhang, Z.: Secure, efficient and fine-grained data access control mechanism for P2P storage cloud. IEEE Trans. Cloud Comput. 2(4), 471–484 (2014)CrossRefGoogle Scholar
  5. 5.
    Sun, W., Yu, S., Lou, W., Hou, Y.T., Li, H.: Protecting your right: verifiable attribute-based keyword search with fine-grained owner-enforced search authorization in the cloud. IEEE Trans. Parallel Distrib. Syst. 27(4), 1187–1198 (2016)CrossRefGoogle Scholar
  6. 6.
    Park, J.S., Sandhu, R.S., Ahn, G.J.: Role-based access control on the web. ACM Trans. Inf. Syst. Secur. 4(1), 37–71 (2001)CrossRefGoogle Scholar
  7. 7.
    Elliott, A., Knight, S.: Role explosion: acknowledging the problem. In: Proceedings of the 2010 International Conference on Software Engineering Research and Practice, SERP, 12–15 July 2010, Las Vegas, Nevada, USA, 2 Volumes, pp. 349–355 (2010)Google Scholar
  8. 8.
    Freudenthal, E., Pesin, T., Port, L., Keenan, E., Karamcheti, V.: DRBAC: distributed role-based access control for dynamic coalition environments. In: ICDCS, pp. 411–420 (2002)Google Scholar
  9. 9.
    Wu, T., Pei, X., Lu, Y., Chen, C., Gao, L.: A distributed collaborative product design environment based on semantic norm model and role-based access control. J. Netw. Comput. Appl. 36(6), 1431–1440 (2013)CrossRefGoogle Scholar
  10. 10.
    Ruan, C., Varadharajan, V.: Dynamic delegation framework for role based access control in distributed data management systems. Distrib. Parallel Databases 32(2), 245–269 (2014)CrossRefGoogle Scholar
  11. 11.
    Lee, H.K., Luedemann, H.: Lightweight decentralized authorization model for inter-domain collaborations. In: SWS, pp. 83–89 (2007)Google Scholar
  12. 12.
    Hu, V.C., Ferraiolo, D., Kuhn, R., Schnitzer, A., Sandlin, K., Miller, R., Scarfone, K.: Guide to attribute based access control (ABAC) definition and considerations. NIST Spec. Publ. 800, 162 (2014)Google Scholar
  13. 13.
    Bryans, J.: Reasoning about XACML policies using csp. In: SWS, pp. 28–35 (2005)Google Scholar
  14. 14.
    Nguyen, T.N., Le Thi, K.T., Dang, A.T., Van, H.D.S., Dang, T.K.: Towards a flexible framework to support a generalized extension of XACML for spatio-temporal RBAC model with reasoning ability. In: Murgante, B., Misra, S., Carlini, M., Torre, C.M., Nguyen, H.-Q., Taniar, D., Apduhan, B.O., Gervasi, O. (eds.) ICCSA 2013. LNCS, vol. 7975, pp. 437–451. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-39640-3_32 CrossRefGoogle Scholar
  15. 15.
    Kolovski, V., Hendler, J.A., Parsia, B.: Analyzing web access control policies. In: WWW, pp. 677–686 (2007)Google Scholar
  16. 16.
    Liang, F., Guo, H., Yi, S., Zhang, X., Ma, S.: An attributes-based access control architecture within large-scale device collaboration systems using XACML. In: Yang, Y., Ma, M. (eds.) Green Communications and Networks. Lecture Notes in Electrical Engineering, pp. 1051–1059. Springer, Dordrecht (2012)CrossRefGoogle Scholar
  17. 17.
    Tsankov, P., Marinovic, S., Dashti, M.T., Basin, D.: Decentralized composite access control. In: Abadi, M., Kremer, S. (eds.) POST 2014. LNCS, vol. 8414, pp. 245–264. Springer, Heidelberg (2014). doi: 10.1007/978-3-642-54792-8_14 CrossRefGoogle Scholar
  18. 18.
    Hardt, D.: The oauth 2.0 authorization framework (2012)Google Scholar
  19. 19.
    Tootoonchian, A., Saroiu, S., Ganjali, Y., Wolman, A.: Lockr: better privacy for social networks. In: CoNEXT (2009)Google Scholar
  20. 20.
    Newcombe, C., Rath, T., Zhang, F., Munteanu, B., Brooker, M., Deardeuff, M.: How amazon web services uses formal methods. Commun. ACM 58(4), 66–73 (2015)CrossRefGoogle Scholar
  21. 21.
    Zahoor, E., Perrin, O., Bouchami, A.: CATT: a cloud based authorization framework with trust and temporal aspects. In: 10th IEEE International Conference on Collaborative Computing: Networking, Applications and Worksharing, CollaborateCom 2014, Miami, Florida, USA, 22–25 October 2014, pp. 285–294 (2014)Google Scholar
  22. 22.
    Bouchami, A., Perrin, O., Zahoor, E.: Trust-based formal delegation framework for enterprise social networks. In: 2015 IEEE TrustCom/BigDataSE/ISPA, Helsinki, Finland, 20–22 August 2015, vol. 1, pp. 127–134 (2015)Google Scholar
  23. 23.
    Montali, M., Maggi, F.M., Chesani, F., Mello, P., van der Aalst, W.M.P.: Monitoring business constraints with the event calculus. ACM Trans. Intell. Syst. Technol. 5(1), 17:1–17:30 (2014)Google Scholar
  24. 24.
    Kowalski, R.A., Sergot, M.J.: A logic-based calculus of events. New Gener. Comput. 4(1), 67–95 (1986)CrossRefzbMATHGoogle Scholar
  25. 25.
    Mueller, E.T.: Commonsense Reasoning. Morgan Kaufmann Publishers Inc., San Diego (2006)Google Scholar
  26. 26.
    Zahoor, E., Perrin, O., Godart, C.: An event-based reasoning approach to web services monitoring. In: ICWS (2011)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2017

Authors and Affiliations

  1. 1.Secure Networks and Distributed Systems Lab (SENDS)National University of Computer and Emerging SciencesIslamabadPakistan
  2. 2.Université de Lorraine, LORIAVandoeuvre-lès-Nancy CedexFrance

Personalised recommendations