Amazon Verified Permissions のアイコン

Amazon Verified Permissions New2022年〜

A service that externalizes application authorization logic using the Cedar policy language

About 2 min read

What It Does

Amazon Verified Permissions lets you define application authorization (who can do what) logic in the Cedar policy language, separating it from application code. Access rules are centralized in a policy store, and authorization decisions are made via API. It integrates with Cognito for user attribute-based authorization.

Use Cases

Authorization for multi-tenant SaaS applications, implementing role-based access control (RBAC) and attribute-based access control (ABAC), and separating authorization logic from application code.

Everyday Analogy

Think of a building access control system. Access rights to each room (resource) are centralized in the management system (Verified Permissions), with rules (policies) like "Sales department employees can enter Meeting Room A" and "Admins can enter all rooms" managed in one place.

What Is Verified Permissions?

Amazon Verified Permissions is an authorization externalization service. Traditionally, "Can this user access this resource?" decisions were implemented as if-statements in application code. Verified Permissions defines rules in the Cedar policy language and executes authorization decisions via the IsAuthorized API. Policy changes take effect without redeploying the application.

Cedar Policies and Schema

Cedar is an open-source policy language developed by AWS. It declaratively describes "who (principal) can do what (action) to what (resource)." Schemas define entity types (User, Document, Folder) and actions (Read, Write, Delete), enabling policy consistency validation. Integration with Cognito user pools lets you use JWT token attributes (groups, custom attributes) in policy decisions. To deepen your understanding of Cedar policies and schema, related books on Amazon are a helpful resource.

Getting Started

Create a policy store in the Verified Permissions console and define a schema. Write Cedar policies to describe access rules. Call the IsAuthorized API from your application and control access based on the result (Allow / Deny).

Things to Watch Out For

  • Pay-per-use based on authorization request count. Watch costs for high-frequency authorization decisions
  • Cedar is open source, enabling local policy testing and simulation
共有するXB!

Related Services

Amazon Cognito iconAmazon CognitoA service that provides authentication, authorization, and user management for web and mobile applicationsAmazon API Gateway iconAmazon API GatewayA fully managed service for creating, publishing, managing, and monitoring APIsAWS Lambda iconAWS LambdaA serverless compute service that runs code without server managementAWS IAM Identity Center iconAWS IAM Identity CenterA service that provides single sign-on to multiple AWS accounts and SaaS applications

Related Articles

Fine-Grained Authorization with Amazon Verified Permissions - Access Control Using Cedar PoliciesLearn how to externalize authorization logic from application code using the Cedar policy language and implement token-based authorization decisions with Cognito integration.

More in This Category

IAM Access Analyzer iconIAM Access Analyzer SpecializedA service that detects externally accessible resources and unused access permissionsAWS Certificate Manager iconAWS Certificate Manager EssentialA service that automates provisioning, management, and deployment of SSL/TLS certificatesAWS Artifact iconAWS Artifact SpecializedA service for on-demand access to AWS compliance reports and agreementsAWS Audit Manager iconAWS Audit Manager SpecializedA service that automates evidence collection and assessment for compliance auditsAWS CloudHSM iconAWS CloudHSM SpecializedA service for managing encryption keys using dedicated hardware security modulesAmazon Cognito iconAmazon Cognito PopularA service that provides authentication, authorization, and user management for web and mobile applicationsAmazon Detective iconAmazon Detective SpecializedA service that automatically analyzes security findings and investigates root causesAWS Directory Service iconAWS Directory Service SpecializedA service that provides managed Active Directory on AWS

Similar Articles and Services

Fine-Grained Authorization with Amazon Verified Permissions - Access Control Using Cedar PoliciesLearn how to externalize authorization logic from application code using the Cedar policy language and implement token-based authorization decisions with Cognito integration.AWS Verified AccessA service that provides zero trust access to corporate applications without a VPNAWS Verified AccessA service providing zero-trust access to corporate applications without a VPNZero Trust Network Access - VPN-Free Secure Access with AWS Verified AccessLearn about VPN-less zero trust access with AWS Verified Access. Covers identity provider integration, device trust, policy-based access control, and comparison with traditional VPNs.Zero Trust Access with AWS Verified Access - VPN-Free Application ConnectivityEliminate VPNs and achieve zero trust access that verifies user identity and device security posture on every request. Learn about fine-grained control with Cedar policies.