AWS Verified Permissions Blog
Amazon Verified Permissions Overview
You may create more secure apps using Amazon Verified Permissions, a fully managed authorisation solution that use the provably correct Cedar policy language. Because Verified Permissions centralises policy management and externalises authorisation, developers can create applications more quickly. They can also match Zero Trust principles with the application’s authorisation. Teams working on security and auditing can more effectively examine and verify who has access to what in apps.
Advantages
Separate application logic from authorisation
Decoupling authorisation from business logic will speed up the development of applications.
Safeguard the resources of your application
Use the least privilege concept to control user access and safeguard application resources.
Make audits of application and resource access simpler
Use automated analysis to streamline compliance checks at scale and ensure that permissions entered in Cedar function as intended.
Real-time, ongoing authorisation decisions
Create applications that adhere to the continuous, real-time authorisation decisions outlined in Zero Trust.
Use cases
Describe a model of fine-grained authorisation
Using templates, create policies and implement those restrictions in AWS AppSync and Amazon API Gateway.
Permit applications with specific permissions
Developers may let users to access data and resources, and administrators can write policies that apply to the entire program using Cedar.
Permissions for auditing across applications
Examine modifications to the Cedar policy model and use Verified Permissions to keep an eye on authorisation requests.
Amazon Verified Permissions features
Specifying your model of authorisation
Diagram
When Cedar is supported, you can provide your schema in terms of each entity type, including characteristics that are pertinent to the authorisation model and the legitimate pairings of actions, resource types, and principal kinds. The schema is used by Verified Permissions to confirm that a static policy or policy template complies with the authorisation model of the application. In Verified Permissions, a schema can be defined using JSON. Although it makes use of special features of the Cedar policy language, it is quite similar to the JSON schema. Action groups are policies that allow or prohibit groups of actions, and you can describe them in your schema.
Requests for authorisation
To grant user access requests, connect your application to the service using the API. Given context inputs like users, roles, group membership, and attributes, the service obtains the pertinent policies for each authorisation request and assesses those Cedar-based policies to decide if a user is allowed to conduct an action on a resource.
Validation and administration of policies
The policy store
In Verified Permissions, a policy store is a container of Cedar-based policies that is logically separate from other containers. To set policies and policy templates apart from other policy stores, you can define all of your hierarchical relationships and setups in one policy store. You can define distinct configurations and schema rules for many tenants without sharing or connecting them thanks to policy stores, which typically map to each application. Each tenant’s use of a Verified Permissions application, for instance, may have its own policy store; you could remove a tenant’s policy store without affecting the resources, schemas, rules, and policy templates of any other policy stores.
A feature of the test bench
By simulating an authorisation request against every Cedar-based policy in your policy store, the test bench serves as a tool for evaluating and debugging Verified Permissions policies. The test bench determines if the policies in your policy store would approve the request based on the parameters you provide.
Templates for policies
One option is to utilise a policy template, which is a policy statement based on Cedar that has scope placeholders that need to be filled up with certain values. There may be placeholders for the resource, the principal, or both in a policy template. A template-linked policy is one in which any changes made to the template are mirrored across all principals and resources that utilise it.
To construct Cedar-based policies that can be shared across your application, we advise using policy templates. For instance, you may make an editor policy template that grants the resource and principal using the policy template read, edit, and comment permissions. Additionally, you may define coarse-, medium-, and fine-grained access controls for your apps using policy templates. For instance, you could utilise medium-grained controls to grant access to particular resources, fine-grained controls for the most detailed attributes on resources, and policy templates to assign particular people to a group.
Auditing and querying policies
Policies for queries
You can perform particular queries against the policies kept in Verified Permissions by using Verified Permissions APIs. To find out which policies apply to particular resources, principals, or both, you can query your policies.
Logging and auditing
To submit your policy management and authorisation logs to AWS CloudTrail, you can set up and link Verified Permissions.
Extensions and Integrations
Amazon Cognito Connectivity
Your Amazon Cognito authentication token can be supplied into a Verified Permissions authorisation request. This enables you to directly enter identity provider attributes into a policy evaluation, which in turn influences the authorisation decision that Verified Permissions generates.
AWS CloudFormation integration
In order to reduce the amount of time you spend developing and maintaining your infrastructure and resources, Verified Permissions is linked with CloudFormation, a service that assists you in modelling and configuring your AWS resources. AWS resources are provisioned and configured by CloudFormation when you generate a template that lists all the resources you desire.
Flexibility
C++, Go, Java, JavaScript, Kotlin,.NET, Node.js, PHP, Python, Ruby, Rust, and Swift can all be used with the Verified Permissions SDK.
Getting Started with Amazon Verified Permissions
For the applications you create, Amazon Verified Permissions offers scalable permissions management and fine-grained authorisation. For more detailed, context-aware access control, developers and administrators can use roles and attributes to construct policy-based access controls using Cedar, an expressive and analysable open-source policy language.
Amazon Verified Permissions pricing
For the applications you create, Amazon Verified Permissions offers scalable permissions management and fine-grained authorisation. Developers and administrators can create policy-based access controls using roles and characteristics for more detailed, context-aware access control using Cedar, an expressive and analysable open-source policy language.
Verified Permissions allows you to only pay for the usage you make. There aren’t any minimum or upfront costs. To use Amazon Verified Permissions, a customer does not need to submit a minimum quantity of requests. Authorisation and Policy Management are supported by the service.
Per API call, authorisation requests are metered. A single request is made each time the IsAuthorized, BatchIsAuthorized, IsAuthorizedWithToken, and BatchIsAuthorizedWithToken APIs are used. For instance, regardless of how many authorisations are included in the request, a call to the BatchIsAuthorized API is metered as a single request.
Requests for policy management are likewise metered on an API call basis, with the exception of BatchGetPolicies. The CreatePolicy, UpdatePolicy, GetPolicy, and ListPolicy APIs, for instance, are all metered as a single request. Per returning policy, BatchGetPolicies is metered. For instance, making 10 requests to the BatchGetPolicies API to retrieve ten policies is priced the same as making ten calls to the GetPolicy API.
Region: US East (N. Virginia) – same pricing for all Regions
| Pricing tier (authorization requests per month) | Price per request |
| First 40 million requests per month | $0.00015 per authorization request |
| Next 60 million requests per month | $0.000075 per authorization request |
| More than 100 million requests per month | $0.00004 per authorization request |
| Policy management requests | $0.00004 per policy management request |
To use Amazon Verified Permissions, you are not required to submit a minimum number of requests. For instance, you will be billed for 1000 authorisation requests ($0.00015 * 1,000 requests = $0.15) if your application generates 1000 authorisation requests.
