Abstract
Cloud compute systems allow administrators to write access control policiesthat govern access to private data. While policies are written in convenientlanguages, such as AWS Identity and Access Management Policy Language, manuallywritten policies often become complex and error prone. In this paper, weinvestigate whether and how well Large Language Models (LLMs) can be used tosynthesize access control policies. Our investigation focuses on the task oftaking an access control request specification and zero-shot prompting LLMs tosynthesize a well-formed access control policy which correctly adheres to therequest specification. We consider two scenarios, one which the requestspecification is given as a concrete list of requests to be allowed or denied,and another in which a natural language description is used to specify sets ofrequests to be allowed or denied. We then argue that for zero-shot prompting,more precise and structured prompts using a syntax based approach are necessaryand experimentally show preliminary results validating our approach.