Skip to main content

Amazon Verified Permissions Documentation

Amazon Verified Permissions is designed to be a scalable, fine-grained permissions management and authorization service for the applications that you build. This service enables your developers to build secure applications by externalizing authorization and centralizing policy management and administration. Developers can align their application access with Zero Trust principles by implementing least privilege and continual verification within applications. Security and audit teams can analyze and audit who has access to what within applications. Verified Permissions uses Cedar, a purpose-built and security-first open-source policy language, to define policy-based access controls using roles and attributes.

Defining your authorization model

Schema

You define your schema in terms of each entity type, including attributes relevant to the authorization model and the valid combinations of principal types, resource types, and actions. Verified Permissions are designed to use the schema to validate that a static policy or policy template is consistent with the application’s authorization model. You can use JSON to define a schema in Verified Permissions. You can define action groups in your schema, which are policies that permit or forbid groups of actions.

Authorization requests

You can connect your application to the service through the API to authorize user access requests. For each authorization request, the service is designed to retrieve the relevant policies and evaluates those policies to determine whether a user is permitted to take an action on a resource given context inputs such as users, roles, group membership, and attributes.

Policy management and validation

Policy store

A policy store is a container of policies in Verified Permissions that is designed to be logically isolated from other containers. You can create all your hierarchical relationships and configurations in a single policy store to distinguish policies and policy templates from other policy stores. Policy stores are designed to map to each application and allow you to create different configurations and schema rules across multiple tenants.

Test bench feature

The test bench feature is a tool designed to test and troubleshoot Verified Permissions policies by running a simulated authorization request against all the policies in your policy store. The test bench is designed to use the parameters that you specify to determine whether the policies in your policy store would authorize the request.

Policy templates

You can use a policy template, which is a policy statement with placeholders in the scope that are to be filled in with specific values. A policy template can have placeholders for the principal, the resource, or both. Updates to the policy template are designed to be reflected across all principals and resources that use the template.

You can use policy templates to create policies that can be shared throughout your application. You can also use policy templates to define coarse-grained, medium-grained, and fine-grained access controls for your applications.

Policy querying and auditing

Query policies

Using Verified Permissions APIs, you can run specific queries against the policies stored in Verified Permissions. You can query your policies to determine which are applied to specific principals, specific resources, or both.

Auditing and logging

You can configure and connect Verified Permissions to send your policy management and authorization logs to AWS CloudTrail.

Additional Information

For additional information about service controls, security features and functionalities, including, as applicable, information about storing, retrieving, modifying, restricting, and deleting data, please see https://docs.aws.amazon.com/index.html. This information does not form part of the Documentation for purposes of the AWS Customer Agreement available at http://aws.amazon.com/agreement, or other agreement between you and AWS governing your use of AWS’s services.