Generally described, computing devices utilize a communication network, or a series of communication networks, to exchange data. Organizations operate computer networks that interconnect a number of computing devices to support operations or to provide services to third parties. The computing systems can be located in a single geographic location or located in multiple, distinct geographic locations (e.g., interconnected via private or public communication networks). Specifically, data centers or other computing resource centers may include a number of interconnected computing systems to provide computing resources to users. To facilitate increased utilization of resources, virtualization technologies allow a single physical computing device to host one or more instances of virtual machines that appear and operate as independent computing devices. With virtualization, a single physical computing device can create, maintain, delete, or otherwise manage virtual machines in a dynamic manner. In turn, users can request computer resources from a data center and be provided with varying numbers of virtual machine resources. In some scenarios, virtual machine instances may be configured according to a number of virtual machine instance types to provide specific functionality.
In order to ensure that only authorized users are able to access the functionality provided by these various instances, an authentication and authorization system can be utilized that has a plurality of controls. A user can write access policies that allow for the expression of specific conditions or criteria under which a user or device is authorized to access a resource. Such an approach is limited, however, as a provider of a resource environment will typically not want customers running arbitrary code on resources that are making security decisions. Further, it can be undesirable to manage a fleet of resources that has to handle the arbitrary compute jobs that users can spawn as part of this authorization decision.