Zhang, Boyun2020-12-152020-12-152020-12-152020-12-14http://hdl.handle.net/10012/16553This thesis addresses Amazon Web Service (AWS) identity-based policies with "read", "write" and "execute" actions. AWS is a large provider of cloud computing, security is an important property that an application running in AWS must meet. Towards this, AWS provides users with their services, a powerful mechanism and associated syntax, to articulate identity-based policies which manages and grants permission to an identity includes the IAM user, group or role. The current design for AWS policy syntax requires the specification, by the owner of cloud application, of the actions that users or role can be allowed to execute. While file system with traditional UNIS permissions also manages resources in a manner similarly to AWS but with three actions only: "read", "write" and "execute". We propose a new syntax for AWS identity-based policy that all the possible actions are restricted to "read", "write" and "execute". We expect this new syntax will be more usable than the current design from the standpoint of ease and accuracy. We discuss the design and carry out a small-scale human participant study with 20 participants to validate this hypothesis. The result of study demonstrates that current specifying AWS policy helps AWS community developers easier to adhere least-privilege and brings users more convenience on access control.enaccess controlAmazon Web Servicetraditional UNIX permissionsecurityMaster Thesis