In AWS environments, a data perimeter is a set of preventative controls that help ensure that your trusted cloud identities (principals or AWS services acting on your behalf) are accessing trusted resources from authorized networks. You can apply these controls at various levels of your infrastructure, such as per resource or across all resources in your AWS account.

The ability to apply controls at different levels creates an effective defense-in-depth approach to protecting data, but it also makes it hard to know where gaps exist. Datadog’s 2025 Cloud Security report found that approximately 40% of organizations use data perimeters, with most applying them per resource. Of that group, fewer than 1% use recommended organization-level solutions, such as resource control policies (RCPs) and service control policies (SCPs).

In this post, we’ll walk through examples of data perimeters configured per resource, since that’s where most organizations apply them. Then we’ll look at the security gaps that resource-level controls can create. In each section, we’ll simulate an attack against each gap by using Stratus Red Team, an open source threat emulation tool, and then apply an organization-level policy that closes the gap.