1. Help Center
  2. Creating Policies

Limit Application Access to Groups of Users

Limit access to sensitive AWS applications with dynamic policy groups based on users in Active Directory.

An administrator is tasked to ensure that when physicians are on Campus, they are permitted to access AWS cloud-hosted confidential medical records. However, when physicians connect to the network remotely in the US, they are denied access to the same resource. To accomplish this requirement, two policies are required.

The campus policy uses the source match criteria of AD Group Physicians and device location Campus. The destination match criteria are Application AWS apps: medical_confidential (cloud-native tag). All traffic is allowed in the security rule.

The remote policy uses the source match criteria of AD Group Physicians and device country US and device location Remote. The destination match criteria are Application AWS apps: medical_confidential (cloud-native tag). All traffic is denied in the security rule.

To create these policies, navigate to the Policy section on the left pane of Cloud Control Center and select Add Policy (figure 1).

Figure 1. Creating a new policy by clicking the Add Policy button.

Give the policy a name and define your source and destination by selecting Add New Source and Add New Destination (figure 2-5). Unless specified by clicking Make it a Policy Group Cloud Control Center will automatically create a Policy Group with an auto-generated name based on the policy name. To reference this Policy Group in different policy, it is necessary to custom name the Policy Group by selecting Make it a Policy Group.

Figure 2. Add new sources and destinations, and select the option to make it a reusable Policy Group.

Figure 3. Selecting an active directory group for policy sources.

Figure 4. Selecting device location is at the Campus. 

Figure 5. Selecting a destination for an application in AWS based on an application tag.

Add a security rule to permit the traffic (figure 6). The resulting campus policy should look like this:

Figure 6. Creating a security rule for L3/L4 Protocol that Allows All Traffic.

Follow the same steps to deploy the second policy (figure 7-11).

Figure 7. Add new sources and destinations, and select the option to make it a reusable Policy Group.

Figure 8. Selecting an active directory group for policy sources.

Figure 9. Selecting device location is within the country of the US (United States).

Figure 10. Selecting device location is Remote.
Figure 11. Selecting a destination for an application in AWS based on an application tag.

Add a security rule to permit the traffic (figure 12). The resulting remote policy should look like this:

Figure 12. Creating a security rule for L3/L4 Protocol that Denies All Traffic.

Once these policies are deployed, the Elisity platform will immediately enforce them across all edges of the network. The Elisity platform will also program the required routes and rules in the AWS routing tables and security groups to meet the policy's goal.

To review or edit the policy, select the policy name. You can also delete the policy by selecting the three dots (more options) next to the policy name.