Amazon Verified Permissions Documentation

Amazon Verified Permissions is designed to be a scalable, fine-grained permissions management and authorization service for the applications that you build. This service enables your developers to build secure applications by externalizing authorization and centralizing policy management and administration. Developers can align their application access with Zero Trust principles by implementing least privilege and continual verification within applications. Security and audit teams can analyze and audit who has access to what within applications. Verified Permissions uses Cedar, a purpose-built and security-first open-source policy language, to define policy-based access controls using roles and attributes for more granular, context-aware access control.

You define your schema in terms of each entity type, including attributes relevant to the authorization model and the valid combinations of principal types, resource types, and actions. Verified Permissions uses the schema to validate that a static policy or policy template is consistent with the application’s authorization model. You can use JSON to define a schema in Verified Permissions. It bears some resemblance to JSON schema but uses unique aspects of the Cedar policy language. You can define action groups in your schema, which are policies that permit or forbid groups of actions. 

Connect your application to the service through the API to authorize user access requests. For each authorization request, the service retrieves the relevant policies and evaluates those policies to determine whether a user is permitted to take an action on a resource given context inputs such as users, roles, group membership, and attributes.

A policy store is a container of policies in Verified Permissions that is logically isolated from other containers. You can create all your hierarchical relationships and configurations in a single policy store to distinguish policies and policy templates from other policy stores. Policy stores generally map to each application and allow you to create different configurations and schema rules across multiple tenants without sharing or connectivity between them. For example, you could have a separate policy store for each tenant use of a Verified Permissions application; you can delete one tenant's policy store without affecting the resources, schemas, policies, and policy templates of any other policy store.

The test bench feature is a tool designed to test and troubleshoot Verified Permissions policies by running a simulated authorization request against all the policies in your policy store. The test bench uses the parameters that you specify to determine whether the policies in your policy store would authorize the request.

You can use a policy template, which is a policy statement with placeholders in the scope that are to be filled in with specific values. A policy template can have placeholders for the principal, the resource, or both. Updates to the policy template are reflected across all principals and resources that use the template, also known as a template-linked policy.

We recommend using policy templates to create policies that can be shared throughout your application. For example, you could create a policy template for an editor that provides read, edit, and comment permissions for the principal and resource that use the policy template. You can also use policy templates to define coarse-grained, medium-grained, and fine-grained access controls for your applications. For example, you could use policy templates to assign specific users to a group, medium-grained controls to assign access to specific resources, and fine-grained controls for the most granular attributes on resources.

Using Verified Permissions APIs, you can run specific queries against the policies stored in Verified Permissions. You can query your policies to determine which are applied to specific principals, specific resources, or both.

You can configure and connect Verified Permissions to send your policy management and authorization logs to AWS CloudTrail.

You can pass your authentication token from Amazon Cognito into an authorization request running through Verified Permissions. This enables you to pass through identity provider attributes directly into a policy evaluation and thereby an authorization decision generated by Verified Permissions.

Verified Permissions is integrated with CloudFormation, a service that helps you model and set up your AWS resources so that you can spend less time creating and managing your resources and infrastructure. You create a template that describes all the AWS resources that you want, and CloudFormation provisions and configures those resources for you.

The Verified Permissions SDK is available using C++, Go, Java, JavaScript, Kotlin, .NET, Node.js, PHP, Python, Ruby, Rust, and Swift. 

For additional information about service controls, security features and functionalities, including, as applicable, information about storing, retrieving, modifying, restricting, and deleting data, please see https://docs.aws.amazon.com/index.html. This information does not form part of the Documentation for purposes of the AWS Customer Agreement available at http://aws.amazon.com/agreement, or other agreement between you and AWS governing your use of AWS’s services.