Amazon Verified Permissions FAQs

Verified Permissions helps you implement and enforce fine-grained authorization on resources within the applications that you build and deploy, such as HR systems and banking applications. With Verified Permissions, you can perform the following tasks:

1. Define a policy-based access model that describes the resources managed by your application and the actions (such as view, update, and share) that users can perform on those resources.
2. Provide application users with the ability to manage access to those resources. The application creates a permission for the specialist to view and update the records and then stores it in Verified Permissions.
3. Enforce those permissions.

Use Verified Permissions along with your identity provider, such as Amazon Cognito, for a more dynamic, policy-based access management solution for your applications. You can build applications that help end users share information and collaborate while maintaining the security, confidentiality, and privacy of their data. Verified Permissions helps you build applications faster. It also helps reduce operational costs by providing you with a fine-grained authorization system to enforce access based on roles and attributes of your identities and resources. You can define your policy model, create and store policies in a central location, and evaluate access requests in milliseconds. As a policy engine, Verified Permissions can help your application verify user action in real time, as required for Zero Trust.

In the AWS Management Console, access Amazon Verified Permissions under Security, Identity, and Compliance. Simplify the setup of your first application by using the wizard that walks you through the process of defining your application’s permissions model and creating permissions. You can then use the service API or console to evaluate access requests.

Verified Permissions, combined with Amazon Cognito and other identity providers, offers you a dynamic access management solution for consumer applications. Application developers can use Amazon Cognito to manage user identities and authenticate users at sign-in. Verified Permissions can then determine which application resources an authenticated user is permitted to access. You can also use the service with IAM Identity Center for workforce applications.

You need fine-grained authorization in your applications to limit user access to least privilege, as required for a Zero Trust architecture. A central policy-based authorization system gives developers a consistent way to define and manage fine-grained authorization across applications, simplifies changing permission rules without a need to change code, and improves visibility to permissions by moving them out of the code.

You can create a policy-based access model that describes your application-managed resources and the actions that can be taken on those resources. These resources can include nonhuman identities, such as devices or system processes. You can create your model through the console, an API, or a command line interface.

Yes, Verified Permissions can be used with identities from providers such as Okta, Ping Identity, and CyberArk.

You can define permissions through the Cedar policy language. Cedar policies are permit or forbid statements that determine whether a user can act on a resource. Policies are associated with resources, and you can attach multiple policies to a resource. Forbid policies override permit policies. This helps you establish guardrails within your application that prevent access, regardless of what permit policies might be in place.

Cedar is a flexible, extensible, and scalable policy-based access control language, helping developers express application permissions as policies. Administrators and developers can define policies that permit or forbid users to act on application resources. Multiple policies can be attached to a single resource. When a user of your application attempts to perform an action on a resource, your application makes an authorization request to the Cedar policy engine. Cedar evaluates the applicable policies and returns an ALLOW or DENY decision. Cedar supports authorization rules for any type of principal and resource, allows for role-based and attribute-based access control, and supports analysis through automated reasoning tools.

When a user of your application attempts to perform an action on a resource, your application can call the Verified Permissions API with an authorization request. Verified Permissions checks the request against relevant policies and returns either an ALLOW or DENY decision based on the result of that evaluation. Based on this result, your application can either let the user perform the action or block it.

Use Verified Permissions APIs in your application to create policies, update policies, attach policies to resources, and authorize user access requests. When a user attempts an action on a resource, your application constructs a request. This request includes information about the user, action, and resource, and passes it to Verified Permissions. The service evaluates the request and responds with an ALLOW or DENY decision. Your application is then responsible for enforcing that decision.

Verified Permissions validates the policies you create against your Cedar schema and rejects any that are invalid. For example, if a policy references actions that don't apply to the specified resource type, the service prevents the policy from being created. This catches type errors and structural mistakes early, before they can cause runtime failures.

Verified Permissions integrates with AWS CloudTrail, providing an audit trail of policy changes including who made changes and when. This helps you meet compliance requirements for tracking modifications to your application's authorization policies.

No. You must use the Cedar policy language to author policies. Whereas Cedar is designed to support permissions management for customer application resources, the IAM policy language evolved to support access control for AWS resources.