Amazon Verified Permissions Features

A policy store is a container of Cedar-based policies in Verified Permissions that is logically isolated from other containers. You can create all your hierarchical relationships and configurations in a single policy store to distinguish policies and policy templates from other policy stores. Policy stores generally map to each application and allow you to create different configurations and schema rules across multiple tenants without sharing or connectivity between them. For example, you could have a separate policy store for each tenant use of a Verified Permissions application; you can delete one tenant's policy store without affecting the resources, schemas, policies, and policy templates of any other policy store.

The test bench is a tool for testing and troubleshooting Verified Permissions policies by running a simulated authorization request against all the Cedar-based policies in your policy store. The test bench uses the parameters that you specify to determine whether the policies in your policy store would authorize the request.

You can use a policy template, which is a Cedar-based policy statement with placeholders in the scope that are to be filled in with specific values. A policy template can have placeholders for the principal, the resource, or both. Updates to the policy template are reflected across all principals and resources that use the template, also known as a template-linked policy.

We recommend using policy templates to create Cedar-based policies that can be shared throughout your application. For example, you could create a policy template for an editor that provides read, edit, and comment permissions for the principal and resource that use the policy template. You can also use policy templates to define coarse-grained, medium-grained, and fine-grained access controls for your applications. For example, you could use policy templates to assign specific users to a group, medium-grained controls to assign access to specific resources, and fine-grained controls for the most granular attributes on resources.

Using Verified Permissions APIs, you can run specific queries against the policies stored in Verified Permissions. You can query your policies to determine which are applied to specific principals, specific resources, or both.

You can configure and connect Verified Permissions to send your policy management and authorization logs to AWS CloudTrail.

You can pass your authentication token from Amazon Cognito into an authorization request running through Verified Permissions. This allows you to pass through identity provider attributes directly into a policy evaluation and thereby an authorization decision generated by Verified Permissions.

Verified Permissions is integrated with CloudFormation, a service that helps you model and set up your AWS resources so that you can spend less time creating and managing your resources and infrastructure. You create a template that describes all the AWS resources that you want, and CloudFormation provisions and configures those resources for you.

The Verified Permissions SDK is available using C++, Go, Java, JavaScript, Kotlin, .NET, Node.js, PHP, Python, Ruby, Rust, and Swift.