Enforcing Time-Based Access Restrictions for Astra Scans on AWS

Last updated: July 8, 2025

If you prefer to restrict Astra's access to your AWS environment within specific time windows (e.g., 11:00 AM to 6:00 PM IST), you can enforce this at the infrastructure level using AWS IAM policies.

While Astra analysts follow these guidelines manually, this additional control ensures access is blocked outside of approved hours regardless of configuration errors or scheduling misses.

Permissions Astra Requires

To enable secure read-only scanning, please assign the following AWS-managed policies to the IAM user or role used by Astra:

  1. SecurityAudit – for visibility into security-relevant resources.

  2. ReadOnlyAccess – for general inspection permissions.

  3. custom inline policy (provided below) to restrict access outside of approved hours.

Sample Custom Policy: Time-Based Deny

You can create this custom IAM policy by navigating to the IAM Console > Policies > Create policy > JSON tab, or refer to AWS’s official guide on creating IAM policies for step-by-step instructions.

The IAM policy below denies all access outside the 11:00 AM – 6:00 PM IST window for 3 days. Since IAM evaluates time in UTC, this corresponds to 05:30 – 12:30 UTC.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "DateGreaterThan": { "aws:CurrentTime": "2025-07-08T12:30:00Z" },
        "DateLessThan": { "aws:CurrentTime": "2025-07-09T05:29:59Z" }
      }
    },
    {
      "Effect": "Deny",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "DateGreaterThan": { "aws:CurrentTime": "2025-07-09T12:30:00Z" },
        "DateLessThan": { "aws:CurrentTime": "2025-07-10T05:29:59Z" }
      }
    },
    {
      "Effect": "Deny",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "DateGreaterThan": { "aws:CurrentTime": "2025-07-10T12:30:00Z" },
        "DateLessThan": { "aws:CurrentTime": "2025-07-11T05:29:59Z" }
      }
    }
  ]
}

This policy ensures Astra has access only during your specified window and blocks all actions outside of it.

Please review and test the policy in your environment before attaching it to the user or role. The example provided can be used as a base and adjusted to fit your specific access requirements.

Caveats and AWS Limitations

  • AWS IAM does not support recurring time-of-day conditions. Each date/time window must be explicitly defined using absolute UTC timestamps.

  • This means the policy must be updated manually or through automation (e.g., daily or weekly), to extend coverage beyond the specified days.

  • IAM condition keys such as aws:CurrentTime work with full date/time strings and do not support local time zones like Asia/Kolkata.

  • For more details, refer to AWS’s documentation on time-based policy conditions.

Optional Automation

To enforce this permanently, you can automate daily policy updates using AWS Lambda, your CI/CD pipeline, or an internal script that generates and replaces the inline policy regularly.