Amazon Verified Permissions
A managed service that externalizes application authorization logic using the Cedar policy language, enabling fine-grained access control
Overview
Amazon Verified Permissions is a managed authorization service that enables you to externalize your application's access control logic using the Cedar policy language. Instead of embedding authorization decisions in application code, you define policies declaratively in Cedar and call the Verified Permissions API to make authorization decisions. This separation of concerns simplifies policy management, enables centralized auditing, and supports complex authorization models including RBAC, ABAC, and relationship-based access control.
Cedar Policy Language and Schema Design
Cedar is a purpose-built policy language designed for authorization that is both human-readable and machine-analyzable. Policies consist of permit and forbid statements that reference principals (users, roles), actions (API operations), and resources (application entities). The policy schema defines the entity types, their attributes, and valid relationships in your application's authorization model. For example, a document management system might define User, Group, Document, and Folder entity types with ownership and membership relationships. Cedar's type system catches policy errors at authoring time rather than runtime, and its formal verification capabilities can prove properties like 'no policy grants admin access to external users.' Policy templates with placeholders enable creating reusable policy patterns that are instantiated for specific principals or resources.
Cognito Integration and Multi-Tenant Design
Verified Permissions integrates natively with Amazon Cognito, mapping Cognito user pool tokens directly to Cedar principals. When a user authenticates through Cognito, their token attributes (groups, custom claims) are automatically available as principal attributes in authorization decisions. For multi-tenant SaaS applications, the tenant ID from the Cognito token becomes a key attribute in policies, ensuring users can only access resources within their tenant. Policy stores can be shared across tenants with tenant-scoped policies, or isolated per tenant for strict separation. The authorization API accepts the Cognito token directly, extracting relevant claims without application code needing to parse tokens. Batch authorization enables checking multiple permissions in a single API call, reducing latency for pages that display many resources with varying access levels.
Performance and Operational Design Patterns
Verified Permissions is designed for low-latency authorization decisions, typically responding in single-digit milliseconds. For applications requiring sub-millisecond decisions, a local caching pattern stores recent authorization results with short TTLs. The IsAuthorized API evaluates policies against the provided context (principal, action, resource, and additional context) and returns Allow or Deny. For complex authorization models, the IsAuthorizedWithToken API accepts identity tokens directly. Operational best practices include versioning policy stores for safe rollback, using test mode to validate policy changes against recorded authorization requests before production deployment, and monitoring decision logs in CloudTrail for security auditing. Policy analytics identify unused policies, overly permissive policies, and conflicts between permit and forbid statements, supporting continuous policy hygiene.