Enforcing Time-Based Access Restrictions for Astra Scans on AWS

Last updated: June 11, 2026

Introduction

If you want to restrict Astra's access to your AWS environment to specific time windows (for example, 11:00 AM to 6:00 PM IST), you can enforce this at the infrastructure level using AWS IAM policies.

While Astra analysts follow scheduling guidelines manually, this additional control ensures access is blocked outside approved hours regardless of configuration errors or scheduling misses.

Permissions Astra Requires

Assign the following to the IAM user or role used by Astra:

  • SecurityAudit — for visibility into security-relevant resources

  • ReadOnlyAccess — for general inspection permissions

  • A custom inline policy (described below) to block access outside approved hours

Sample Custom Policy: Time-Based Deny

This policy denies all access outside the 11:00 AM – 6:00 PM IST window. Since IAM evaluates time in UTC, this corresponds to 05:30 – 12:30 UTC. The example below covers a 3-day window; adjust the dates to match your pentest schedule.

To create this policy, go to IAM Console > Policies > Create policy > JSON tab, or follow AWS's official guide on creating IAM policies.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "DateGreaterThan": { "aws:CurrentTime": "2025-07-08T12:30:00Z" },
        "DateLessThan": { "aws:CurrentTime": "2025-07-09T05:29:59Z" }
      }
    },
    {
      "Effect": "Deny",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "DateGreaterThan": { "aws:CurrentTime": "2025-07-09T12:30:00Z" },
        "DateLessThan": { "aws:CurrentTime": "2025-07-10T05:29:59Z" }
      }
    },
    {
      "Effect": "Deny",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "DateGreaterThan": { "aws:CurrentTime": "2025-07-10T12:30:00Z" },
        "DateLessThan": { "aws:CurrentTime": "2025-07-11T05:29:59Z" }
      }
    }
  ]
}

Review and test the policy in your environment before attaching it to the user or role. The example can be used as a base and adjusted to fit your specific access requirements.

Caveats and AWS Limitations

  • AWS IAM does not support recurring time-of-day conditions. Each window must be defined using absolute UTC timestamps.

  • The policy must be updated manually or through automation (such as daily or weekly) to extend coverage beyond the specified dates.

  • IAM condition keys like aws:CurrentTime work with full date/time strings and do not support local time zones like Asia/Kolkata.

For more details, refer to AWS's documentation on time-based policy conditions.

Optional Automation

To enforce this on an ongoing basis, automate daily policy updates using AWS Lambda, your CI/CD pipeline, or an internal script that generates and replaces the inline policy on a regular schedule.