Policy Language
Cedar Language
Cedar is an open-source policy language designed for fine-grained authorization, created by AWS and used in Amazon Verified Permissions.
What is Cedar?
Cedar is a policy language specifically designed for authorization. Unlike general-purpose languages, Cedar is purpose-built to be:
- Expressive – Supports RBAC, ABAC, and ReBAC patterns
- Analyzable – Policies can be formally verified
- Fast – Designed for real-time authorization decisions
- Readable – Clear syntax understandable by humans
- Safe – Always terminates, no side effects
Cedar Syntax Examples
Simple Permission
// Allow admins to perform any action
permit (
principal in Role::"admin",
action,
resource
);Attribute-Based Policy
// Users can edit documents in their department
permit (
principal,
action == Action::"edit",
resource is Document
) when {
principal.department == resource.department
};Relationship-Based Policy
// Project members can view project resources
permit (
principal,
action == Action::"view",
resource
) when {
principal in resource.project.members
};Forbid Policy (Deny)
// Never allow deletion of archived documents
forbid (
principal,
action == Action::"delete",
resource is Document
) when {
resource.status == "archived"
};Cedar vs Rego
Both Cedar and Rego are policy languages, but they have different design goals:
| Aspect | Cedar | Rego |
|---|---|---|
| Focus | Authorization only | General policy |
| Syntax | Declarative, SQL-like | Datalog-inspired |
| Verification | Formal analysis tools | Testing-based |
| Primary use | App authorization | Kubernetes, infrastructure |
| Runtime | AVP, Cedar SDK | OPA |
Where Cedar Runs
Amazon Verified Permissions
AWS managed service for Cedar policy evaluation
Cedar SDK
Open-source libraries for Rust, Java, and Go
Self-hosted evaluation
Run Cedar policies in your own infrastructure
Generate Cedar with Big ACL
Writing Cedar policies manually can be error-prone. Big ACL lets you:
- Write in natural language – "Managers can approve expenses under $10,000"
- Auto-generate Cedar – Policies are translated to valid Cedar syntax
- Test before deploy – Validate policies with automated test generation
- Export to multiple formats – Same policy can target Cedar and Rego
Big ACL input (natural language):
"A manager can approve an expense report if the amount is less than $10,000 and they manage the submitter"
Generated Cedar:
permit (
principal is User,
action == Action::"approve",
resource is ExpenseReport
) when {
principal.role == "manager" &&
resource.amount < 10000 &&
resource.submitter in principal.directReports
};Generate Cedar policies from natural language
Try Big ACL free