Fine-Grained Authorization with Amazon Verified Permissions - Access Control Using Cedar Policies
Learn how to externalize authorization logic from application code using the Cedar policy language and implement token-based authorization decisions with Cognito integration.
Overview of Verified Permissions
Verified Permissions is a managed service that provides fine-grained authorization for applications, processing thousands of authorization requests per second. Traditionally, authorization logic was often implemented as if-statements within application code, requiring code deployments to change policies. Verified Permissions externalizes authorization rules using the Cedar policy language, allowing policy changes to take effect without code deployments. Cedar is an open-source authorization policy language developed by Amazon, designed to support formal verification. Policy evaluation is deterministic - the same input always produces the same authorization decision, making debugging and auditing straightforward.
Cedar Policies and Cognito Integration
Cedar policies consist of permit (allow) and forbid (deny) statements. You can declaratively write rules such as "User A is permitted to perform the read action on Document X" or "The admin role is permitted to perform all actions on all resources." Forbid policies take precedence over permit policies, ensuring that access denial under specific conditions is reliably enforced. Condition clauses (when/unless) enable dynamic conditions like "allow access only during business hours" or "allow only when the IP address is within the corporate network range." With Cognito integration, ID token claims (groups, custom attributes) are used as principal attributes in Cedar policies, enabling token-based authorization decisions. A common pattern is to place a Lambda function as an API Gateway authorizer that calls the Verified Permissions IsAuthorized API.
Policy Stores and Batch Authorization
A policy store is a collection of Cedar policies, created per application. You define entity types (User, Document, Folder) and actions (Read, Write, Delete) in a schema to automate policy syntax validation. Defining a schema prevents the creation of policies that reference non-existent entity types or actions. The IsAuthorized API authorizes a single request, while the BatchIsAuthorized API authorizes up to 30 requests at once. The batch API is effective for list screens where access rights to multiple resources need to be determined at once, reducing latency compared to repeated individual API calls. Policy templates define common patterns, and template-linked policies dynamically bind users and resources, streamlining policy management. CloudTrail records authorization request logs for access pattern analysis and auditing. For a comprehensive look at Verified Permissions best practices, check out technical books (Amazon).
Design Best Practices and Pitfalls
For policy design, a hybrid model combining RBAC (role-based) and ABAC (attribute-based) is recommended. Manage basic permissions through roles, and express fine-grained conditions like "only the document owner can delete" through attributes. A common pitfall is debugging difficulty as policy count grows. When thousands of policies accumulate in a single policy store, tracking which policy evaluated a specific authorization decision becomes challenging. The countermeasure is to use policy templates to abstract common patterns and keep the number of concrete policies manageable. Additionally, integrating Cedar formal verification tools into CI pipelines to detect policy conflicts (where both permit and forbid apply to the same request) before deployment is crucial. When implementing authorization result caching, cache TTL involves a tradeoff with immediate policy change reflection requirements. Applications requiring real-time responsiveness should use short TTLs (seconds), while applications with high read frequency and rare policy changes can use longer TTLs (minutes).
Comparison with Other Authorization Approaches
Multiple approaches exist for application authorization, selected based on requirements. IAM policies specialize in access control to AWS resources and are unsuitable for business logic-based authorization within applications (e.g., "only the document creator can edit"). Verified Permissions handles this application-layer authorization. Open Policy Agent (OPA) enables general-purpose policy descriptions in the Rego language but requires self-managed policy engine hosting and availability management. Verified Permissions, as a managed service with AWS-guaranteed availability and scalability, offers lower operational burden. Cognito group-based authorization suits simple RBAC but does not support resource-level fine-grained control or declarative policy management. For multi-tenant SaaS, a design that isolates policy stores per tenant to physically prevent inter-tenant policy interference is effective.
Verified Permissions Pricing
Verified Permissions is priced based on the number of authorization requests. It costs approximately 5 per million requests, with no additional charges for policy store management or schema definitions. By integrating with Cognito, you can separate user authentication (Cognito) from authorization (Verified Permissions) and externalize authorization logic from application code. For applications with high request volumes, caching authorization results to reduce request counts is an effective cost optimization strategy. Note that the BatchIsAuthorized API processes up to 30 requests per call, but billing is counted per included request (i.e., 30 requests worth).
Summary
Verified Permissions is a service that externalizes application authorization using the Cedar policy language. It separates user authentication from authorization through Cognito integration and automates syntax validation with policy store schemas. The BatchIsAuthorized API enables bulk authorization of multiple requests, and policy templates streamline common pattern management. A hybrid RBAC and ABAC design achieves both simple role management and fine-grained conditional access control, with CloudTrail recording audit logs for authorization requests.