Amazon Verified Permissions

What is Amazon Verified Permissions?

Amazon Verified Permissions is a fully managed authorization service that helps you implement fine-grained access control in your applications. Key features include:

• Cedar policy language – Human-readable, analyzable policies
• Policy stores – Managed storage for your authorization policies
• Schema validation – Ensure policies match your entity model
• Real-time evaluation – Millisecond authorization decisions
• AWS integration – Native support for Cognito, API Gateway, and more

AVP as a Policy Decision Point

Amazon Verified Permissions acts as a Policy Decision Point (PDP) in your authorization architecture:

Your application sends authorization requests to AVP, which evaluates them against Cedar policies and returns allow or deny decisions.

Cedar Policy Example

Amazon Verified Permissions uses Cedar, a policy language designed for authorization:

permit (
    principal == User::"alice",
    action == Action::"view",
    resource == Document::"roadmap.pdf"
) when {
    principal.department == resource.owner.department
};

This policy allows Alice to view roadmap.pdf only if she's in the same department as the document owner.

Use Cases for Amazon Verified Permissions

Big ACL + Amazon Verified Permissions

Big ACL serves as the Policy Administration Point for Amazon Verified Permissions, providing:

• Natural language authoring – Write policies in plain English, export to Cedar
• Policy testing – Validate Cedar policies before deploying to AVP
• Version control – Track policy changes with full audit history
• Multi-PDP support – Use the same policy model for AVP and OPA
• Collaboration – Enable security and product teams to manage policies together

Related Topics