Amazon has this week fully released its Verified Permissions service, designed to assist developers in adding fine-grained permission management to applications, and based on the open-source Cedar access control language and library. This is the second of the company’s services to use Cedar, the first being AWS Verified Access which checks permission to access an application based on policy defined with the language.
According to a post last month, the challenge when developing Cedar was to ensure correct decisions. The team used a process called “verification-guided development” which included automated reasoning and random testing. Cedar follows two principles: “Explicit permit” means that permission is never granted by default; and “forbid overrides permit” means that in the event of a conflict, a forbid policy always denies access. Another facet of Cedar is that “the sequence in which policies are arranged has no impact on the outcome of the evaluation,” as the tutorial explains, preventing a common category of mistakes.
Inadvertent granting of permissions to the public or a wider-than-intended group of users is a common security vulnerability, not least to AWS S3 buckets as many examples show.
The Cedar library is coded in Rust. The Cedar developers argue that “because Cedar policies are separate from application code, they can be independently authored, analyzed, and audited, and even shared among multiple applications.” The project is open source on GitHub under the Apache 2.0 license, though very much driven by AWS engineers.
Verified Permissions addresses a common use case: that application users are assigned different levels of access depending on a variety of factors. The docs put it succinctly: “Verified Permissions provides authorization by verifying whether a principal is allowed to perform an action on a resource in a given context in a custom application.”
Although developers can easily devise their own methods for controlling permissions this kind of code is easy to get wrong. Verified Permissions makes no assumptions about the provider used for authentication. This could be Amazon Cognito (the default in the documentation) or even custom authentication. “Verified Permissions is agnostic to where the user is managed and how the user was authenticated,” the docs state.
The cost of the new service is based on the number of requests. Up to 40 million authorization requests per month costs $150 per million, while policy management requests cost $40 per million.
Alternatives to Cedar include Google Zanzibar, Open Policy Agent, and Cerbos. The common mantra? That devs should not attempt to implement authorization, authentication and policy themselves; though it is no surprise that Amazon has chosen to develop its own rather than adopting one of the existing solutions.