Amazon Verified Permissions Features

With support for Cedar, you can define your schema in terms of each entity type, including attributes relevant to the authorization model and the valid combinations of principal types, resource types, and actions. Verified Permissions uses the schema to validate that a static policy or policy template is consistent with the application’s authorization model. You can use JSON to define a schema in Verified Permissions. It bears some resemblance to JSON schema but uses unique aspects of the Cedar policy language. You can define action groups in your schema, which are policies that permit or forbid groups of actions.

Connect your application to the service through the API to authorize user access requests. For each authorization request, the service retrieves the relevant policies and evaluates those Cedar-based policies to determine whether a user is permitted to take an action on a resource given context inputs such as users, roles, group membership, and attributes.

A policy store is a container of Cedar-based policies in Verified Permissions that is logically isolated from other containers. You can create all your hierarchical relationships and configurations in a single policy store to distinguish policies and policy templates from other policy stores. Policy stores generally map to each application and allow you to create different configurations and schema rules across multiple tenants without sharing or connectivity between them. For example, you could have a separate policy store for each tenant use of a Verified Permissions application; you can delete one tenant's policy store without affecting the resources, schemas, policies, and policy templates of any other policy store.

The test bench is a tool for testing and troubleshooting Verified Permissions policies by running a simulated authorization request against all the Cedar-based policies in your policy store. The test bench uses the parameters that you specify to determine whether the policies in your policy store would authorize the request.

You can use a policy template, which is a Cedar-based policy statement with placeholders in the scope that are to be filled in with specific values. A policy template can have placeholders for the principal, the resource, or both. Updates to the policy template are reflected across all principals and resources that use the template, also known as a template-linked policy.

We recommend using policy templates to create Cedar-based policies that can be shared throughout your application. For example, you could create a policy template for an editor that provides read, edit, and comment permissions for the principal and resource that use the policy template. You can also use policy templates to define coarse-grained, medium-grained, and fine-grained access controls for your applications. For example, you could use policy templates to assign specific users to a group, medium-grained controls to assign access to specific resources, and fine-grained controls for the most granular attributes on resources.

Using Verified Permissions APIs, you can run specific queries against the policies stored in Verified Permissions. You can query your policies to determine which are applied to specific principals, specific resources, or both.

You can configure and connect Verified Permissions to send your policy management and authorization logs to AWS CloudTrail.

You can pass your authentication token from Amazon Cognito into an authorization request running through Verified Permissions. This allows you to pass through identity provider attributes directly into a policy evaluation and thereby an authorization decision generated by Verified Permissions.

Verified Permissions is integrated with CloudFormation, a service that helps you model and set up your AWS resources so that you can spend less time creating and managing your resources and infrastructure. You create a template that describes all the AWS resources that you want, and CloudFormation provisions and configures those resources for you.

The Verified Permissions SDK is available using C++, Go, Java, JavaScript, Kotlin, .NET, Node.js, PHP, Python, Ruby, Rust, and Swift.