AWS Public Sector Blog

Unlock the power of fine-grained access control with Amazon Verified Permissions

AWS branded background image with text overlay that says "Unlock the power of fine-grained access control with Amazon Verified Permissions"

Public sector organizations operate in an increasingly complex environment, managing diverse workloads and maintaining a high level of security. These organizations face stringent compliance requirements, and any unauthorized access to protected health information (PHI) or personal identifiable information (PII) can result in legal penalties and reputational damage. Consequently, these organizations must implement systems with fine-grained access controls to make sure that only authorized individuals can view the data they are permitted to access.

This post aims to demonstrate how public sector customers can develop a fine-grained authorization module using Amazon Web Services (AWS) identity services, extending beyond the capabilities of traditional role-based access control (RBAC), so they can achieve compliance objectives.

Challenges

Establishing effective user authentication and authorization mechanisms in custom applications requires substantial effort. Although authentication is often managed through external identity providers (IdPs) such as Amazon Cognito, authorization logic is usually implemented within the application code. This approach can lead to errors, particularly as permission models become more sophisticated, and creates significant challenges in auditing and managing access rights. As the application user base scales, this becomes cumbersome and difficult to manage and poses the following challenges:

  1. Understanding the rules means reviewing the code. Each application implements its own authorization approach, leading to inconsistency and redundant effort.
  2. Access control logic is tightly coupled to application code, making authoring and changes difficult, and increasing technical debt.
  3. Auditing who has access to what resources across a complex system is challenging because the rules are not centralized and readable.
  4. It’s time consuming with development and change process effort.
  5. It lacks governance, for example, knowing who changed what and when.
  6. As systems grow, monolithic authorization components can become performance bottlenecks.
  7. Proprietary authorization rules hinder flexibility and portability.

The importance of addressing these issues is emphasized by the elevated rankings for the four authorization-related weaknesses in the Common Weakness Enumeration (CWE) list of the Top 25 Most Dangerous Software Weaknesses for 2024.

Solution

To solve these challenges, you can use Amazon Verified Permissions, an off-the-shelf permissions management and fine-grained authorization system that you can plug into the applications you build. You can use Verified Permissions to decouple and centralize authorization using a standardized, attribute-based access control (ABAC) model. Verified Permissions stores the fine-grained permission expressed as Cedar policies and provides a means to manage the permissions. Adhering to zero trust principles, Cedar policies are evaluated continually to make sure that only authorized users are granted access to the modules and data. The following diagram shows how Verified Permissions simplifies authorization and policy management with decentralized and decoupled policies.

Figure 1. Fine-grained authorization with Verified Permissions.

Use cases

There are multiple public sector use cases that can be resolved using Verified Permissions. The following scenarios are cases where Verified Permissions is particularly useful.

  1. Healthcare organizations often need to manage access to sensitive patient data and medical records. With Verified Permissions, you can define granular policies to control access based on user roles, data sensitivity, and other contextual factors. For example, you can create a policy that gives nurses permissions to view and update patient records but restricts access for administrative staff to only nonsensitive information. Similarly, doctors should only have access to their own patients’ records, not those of other patients within the same hospital. And, case workers should be able to access only the cases assigned to them, so they can view and update the care information. Verified Permissions enables such fine-grained access control.
  2. Justice and public safety (JPS) agencies often need to manage access to sensitive case files, evidence, and emergency response systems. Verified Permissions can help you define policies to control access based on user roles, case sensitivity, and other contextual factors. For example, you can create a policy that allows detectives to access and update case files, while restricting access for administrative staff to only view nonsensitive case information. JPS partners create cloud-based computer aided dispatch (CAD) and records management software (RMS) for law enforcement, emergency services, fire, and private security personnel who require least privileged access to the records and video footages. Verified Permissions enables the fine-grained access control, so only authorized individuals can view the data.
  3. Transportation agencies need to manage access to critical infrastructure, operations data, and emergency response systems. Verified Permissions can help you define policies to control access based on user roles, location, and other contextual factors. For example, you can create a policy that gives field technicians permissions to access and update traffic cameras while restricting access for office staff to view-only permissions. Similarly, fleet managers should be able to view fleet driver data and operator behavior to improve visibility of sudden acceleration-based events.
  4. In human services agencies, the caseworkers and social workers store and retrieve documents, complete forms, and capture more accurate and timely case notes and narratives to improve service delivery, compliance, and audit-readiness. Field-based social workers use a mobile app in disconnected mode and capture high-resolution, color images of clients and living conditions. Such least privileged access with continual evaluation of permissions can be achieved with Verified Permissions.

Anatomy of Cedar Policies

Verified Permissions uses Cedar policies to define access permissions. Cedar policy language revolutionizes permission management by employing a sophisticated system of policy statements. Each statement serves as a precise rule, either granting or denying a user’s ability to interact with a resource under specific circumstances. This powerful framework, known as the PARC model, offers unparalleled control and flexibility in access management.

At the core of every policy statement lie two critical components:

  1. The effect – This binary choice—to permit or forbid—determines the fundamental nature of the policy, instantly clarifying its impact on user actions.
  2. The scope – This multifaceted element defines the policy’s reach by specifying:
    • Principals – Who is affected? (For example, individual users, groups, or roles.)
    • Actions – What operations are governed? (For example, read, write, or delete.)
    • Resources – Which assets are involved? (For example, photos, files, or APIs.)
  1. The Conditions – To further refine policy application, statements can incorporate conditional logic through optional when or unless clauses. These conditions act as dynamic filters, allowing policies to adapt to real-time contexts such as time of day, user location, or system status.

Sample policies

The following examples explore how Verified Permissions can address specific public sector use cases with sample Cedar policies:

1. Healthcare – Electronic health records

To maintain patient confidentiality and data integrity, a hospital must establish a comprehensive access control system for patient records. This system should grant different levels of access to medical professionals, nursing staff, and administrative personnel based on their roles and contextual information. The following policies demonstrate how permissions (View or Edit) for specific resources (PatientRecords) are allocated according to distinct roles (Doctor, Nurse, or Admin).

permit (
    principal in EHR::Role::"HealthcareStaff",
    action in [EHR::Action::"ViewRecord", EHR::Action::"EditRecord"],
    resource in EHR::Resource::"PatientRecords"
)
when
{
    (principal.jobTitle == "Doctor" && principal in resource.assignedstaff) ||
    principal.jobTitle == "Admin"
};


permit (
    principal in EHR::Role::"HealthcareStaff",
    action in [EHR::Action::"ViewRecord", EHR::Action::"EditRecord"],
    resource in EHR::Resource::"PatientRecords"
)
when { principal.jobTitle == "Nurse" && principal.jobLevel >= 5 };
Cedar

2. Transportation – Traffic management system

A city transportation department aims to implement fine grained permissions for its traffic management system. This system would grant varying levels of access based on job roles and assigned location. For example, as shown in the following code example, a traffic operator’s permissions can be restricted to specific location, and a traffic engineer’s access wouldn’t be bound by location constraints.

permit (
    principal in TMS::Department::"TrafficControl",
    action in
        [TMS::Action::"ViewTrafficData", TMS::Action::"ModifyTrafficSignals"],
    resource in TMS::Application::"TrafficManagementSystem"
)
when
{
    principal.jobTitle == "TrafficEngineer" ||
    (principal.jobTitle == "Operator" &&
     principal.location == resource.location)
};
Cedar

3. Justice and public safety – Evidence management system

A police department’s digital evidence management system must include access restrictions to make sure that only multi-factor authentication (MFA) authenticated personnel can view or modify case-related evidence files. The following demonstrates how evidence access (View or Modify) is limited to assigned officers, with forensic analysts having permissions only when they are an assigned analyst.

permit (
    principal in EMS::Group::"EvidenceGroup",
    action in [EMS::Action::"ViewEvidence", EMS::Action::"ModifyEvidence"],
    resource
)
when
{
    (resource.assignedOfficers.contains(principal)) ||
    (principal.jobTitle == "ForensicAnalyst" &&
     resource.analysts.contains(principal) &&
     context.authnMfa)
};
Cedar

Note: The following policy enforces MFA as a prerequisite for Delete permissions.

forbid (
    principal,
    action in EMS::Action::"DeleteEvidence",
    resource
)
unless { context.authnMfa };
Cedar

Conclusion

Public sector organizations face unique challenges in managing authorization and access control across their diverse applications and systems. By using Verified Permissions, these organizations can streamline and centralize their authorization management, improve security, and reduce the operational overhead of maintaining custom authorization systems. Verified Permissions represents an important shift in identity and authorization space. By providing a flexible, scalable, and context-aware authorization framework, it addresses the most complex access control challenges faced by government agencies.

Government and public sector organizations should evaluate Amazon Verified Permissions as a strategic solution to modernize their authorization infrastructure, enhance security, and enable more efficient collaborative environments.

Kiran Dongara

Kiran Dongara

Kiran is a solutions architect at Amazon Web Services (AWS) for Worldwide Public Sector, primarily supporting US state and local government customers and partners. His expertise lies in designing scalable and efficient architectures that adhere to well-architected framework practices, maximizing value and return on investment for his clients. When not working, Kiran prioritizes family time, nature walks, and cycling.

Bill Screen

Bill Screen

Bill is a senior solutions architect at Amazon Web Services (AWS), where he collaborates with state and local government customers to develop scalable solutions on AWS. He specializes in supporting government technology (GovTech) customers, with a strong emphasis on artificial intelligence (AI) and generative AI. Outside of work, Bill enjoys spending time with his family, running, and participating in marathons.