Security

Fine-Grained Authorization with Amazon Verified Permissions - Access Control Using Cedar Policies

Learn how to externalize authorization logic from application code using the Cedar policy language and implement token-based authorization decisions with Cognito integration.

約 3 分で読めます

Overview of Verified Permissions

Verified Permissions is a managed service that provides fine-grained authorization for applications, processing thousands of authorization requests per second. Traditionally, authorization logic was often implemented as if-statements within application code, requiring code deployments to change policies. Verified Permissions externalizes authorization rules using the Cedar policy language, allowing policy changes to take effect without code deployments.

Cedar Policies and Cognito Integration

Cedar policies consist of permit (allow) and forbid (deny) statements. You can declaratively write rules such as "User A is permitted to perform the read action on Document X" or "The admin role is permitted to perform all actions on all resources." With Cognito integration, ID token claims (groups, custom attributes) are used as principal attributes in Cedar policies, enabling token-based authorization decisions. A common pattern is to place a Lambda function as an API Gateway authorizer that calls the Verified Permissions IsAuthorized API.

Policy Stores and Batch Authorization

A policy store is a collection of Cedar policies, created per application. You define entity types (User, Document, Folder) and actions (Read, Write, Delete) in a schema to automate policy syntax validation. The IsAuthorized API authorizes a single request, while the BatchIsAuthorized API authorizes multiple requests at once. Policy templates define common patterns, and template-linked policies dynamically bind users and resources, streamlining policy management. CloudTrail records authorization request logs for access pattern analysis and auditing. For a comprehensive look at Verified Permissions best practices, check out technical books (Amazon).

Verified Permissions Pricing

Verified Permissions is priced based on the number of authorization requests. It costs approximately $15 per million requests, with no additional charges for policy store management or schema definitions. By integrating with Cognito, you can separate user authentication (Cognito) from authorization (Verified Permissions) and externalize authorization logic from application code. For applications with high request volumes, caching authorization results to reduce request counts is an effective cost optimization strategy.

Summary

Verified Permissions is a service that externalizes application authorization using the Cedar policy language. It separates user authentication from authorization through Cognito integration and automates syntax validation with policy store schemas. The BatchIsAuthorized API enables bulk authorization of multiple requests, and policy templates streamline common pattern management. CloudTrail records audit logs for authorization requests.

Related Services

Amazon Verified PermissionsA service that externalizes application authorization logic using the Cedar policy languageAmazon CognitoA service that provides authentication, authorization, and user management for web and mobile applicationsAmazon API GatewayA fully managed service for creating, publishing, managing, and monitoring APIs

Related Articles

Zero Trust Access with AWS Verified Access - VPN-Free Application ConnectivityEliminate VPNs and achieve zero trust access that verifies user identity and device security posture on every request. Learn about fine-grained control with Cedar policies.Implementing User Authentication with Amazon Cognito - Designing User Pools and Identity PoolsLearn about user authentication with Cognito User Pools, AWS resource access with Identity Pools, and social login integration.Amazon API Gateway Design Patterns - Choosing Between REST API and HTTP APIClear criteria for choosing between HTTP API and REST API, authentication patterns with Cognito and Lambda authorizers, and practical throttling design techniques.

More on This Topic

Detecting Excessive Permissions with IAM Access Analyzer - External Access and Unused Permission AnalysisDetect unused permissions on IAM roles using CloudTrail-based analysis and auto-generate least-privilege policies. This guide covers external access detection and integrating custom policy checks into your CI/CD pipeline.Automating SSL/TLS Certificate Management with AWS Certificate Manager - From Issuance to RotationLearn how ACM handles free public certificate issuance, DNS validation, automatic renewal, and deployment to ALB and CloudFront.Retrieving Compliance Reports with AWS Artifact - Audit Response and Agreement ManagementLearn how to retrieve SOC, PCI DSS, and ISO audit reports on demand and apply BAA and GDPR DPA agreements across your entire AWS Organizations structure.Automating Audits - Continuously Collecting Compliance Evidence with AWS Audit ManagerLearn how to automate audit evidence collection with AWS Audit Manager. This guide covers automated assessments based on frameworks such as SOC 2, PCI DSS, and GDPR, centralized evidence management, and audit report generation.The Hidden Structure of AWS Account IDs' 12 Digits - Why 12 Digits, and What Can You Infer?A trivia-style exploration of why AWS account IDs are 12-digit numbers, the design intent embedded in the ARN structure, and the security considerations around what can be inferred from an account ID.Why the AWS Account Root User Is Dangerous - The Design Philosophy of Privilege Separation and Practical LockdownWe explain why the AWS root user holds privileges that cannot be restricted by IAM, list the operations only the root user can perform, cover MFA setup methods, and describe the lockdown strategy using Organizations' centralized root access management.Certificate Management and HTTPS - Automated TLS Certificate Operations with AWS Certificate ManagerLearn about TLS/SSL certificate issuance, automatic renewal, and deployment using AWS Certificate Manager (ACM). Covers integration with CloudFront, ALB, and API Gateway, DNS validation, and Private CA usage.Dedicated Key Management with AWS CloudHSM - FIPS 140-2 Level 3 Compliant EncryptionAchieve FIPS 140-2 Level 3 compliant key management with dedicated HSM instances. Learn when to choose CloudHSM over KMS and how to integrate both through KMS custom key stores.

Similar Articles and Services

AWS Verified AccessA service that provides zero trust access to corporate applications without a VPNZero Trust Network Access - VPN-Free Secure Access with AWS Verified AccessLearn about VPN-less zero trust access with AWS Verified Access. Covers identity provider integration, device trust, policy-based access control, and comparison with traditional VPNs.AWS Verified AccessA service providing zero-trust access to corporate applications without a VPNImplementing User Authentication - Building a Secure Authentication Foundation with CognitoLearn how to design and implement a user authentication foundation using Amazon Cognito, including building authentication flows with user pools, identity pools, and external identity provider federation.