A system and method for controlling access to web services resources. A system may include a storage medium configured to store instructions and one or more processors configured to access the storage medium. The instructions may be executable by at least one of the processors to implement a web services access control system (ACS) configured to receive requests. Each request specifies an access operation to be performed with respect to a corresponding resource. Each of the requests is associated with a corresponding principal. For each received request, the ACS may be further configured to determine whether an access control entry exists that is associated with both the resource and principal associated with the request and that specifies an access type sufficient to perform the access operation. If no such entry exists, the ACS may deny the request.