Amazon.com, Inc.
Quantifying permissiveness of access control policies using model counting techniques and automated policy downscaling

Abstract:

Systems and methods for quantifying permissiveness of access control policies using model counting techniques and automated policy downscaling are disclosed. A policy service receives an initial access policy and transforms the access policy into an access constraint compatible with a constraint solver. The policy service determines a degree of permissiveness of the policy based on a number of distinct solutions to the access constraint identified by the constraint solver. Using data associated with access requests precisely allowed by the initial access policy and the initial access policy, the policy service generates a modified policy by adding additional constraints to the access policy and determining that the modified policy is less permissive than the initial access policy.