Introduction to AWS Security Services – Microsoft AWS

Decoupling authorizations

When deploying microservices on AWS, one of the most intricate challenges is managing application-level authorizations. While IAM is excellent for controlling access to AWS resources, it doesn’t extend to the application logic within your microservices. Amazon Verified Permissions and the Cedar policy model can fill this gap by offering a robust and scalable solution for fine-grained, application-level access control.

Amazon Verified Permissions

Verified Permissions is a service designed to provide fine-grained authorizations within applications, operating independently from IAM. It employs Cedar, an open source policy language focused on security, to facilitate policy-based access control (PBAC). This becomes crucial in complex microservices architectures where granular and context-sensitive permissions are essential.

The key features and integrations of Verified Permissions are the following:

• Schema definition: At the core of Verified Permissions is the schema definition process. This involves outlining each entity type within your application along with its corresponding attributes. This schema acts as a foundational blueprint, ensuring that your policies are precisely aligned with your application’s unique authorization requirements.
• Policy store: The service includes a policy store that acts as a central repository for these policies. Its multi-tenancy capabilities allow distinct configurations and schema rules for each tenant. This feature is instrumental in ensuring data isolation and preventing unauthorized access across different tenants.
• Integration with application logic: Verified Permissions seamlessly integrate into your application’s logic. For example, when a user attempts to perform an action, your application can instantly call the Verified Permissions service to verify the user’s authorization for that action. This real-time integration allows for dynamic, context-aware authorization, adapting to the evolving needs of your application.
• Integration with Cognito: The service also offers smooth integration with Cognito, enabling the direct transfer of attributes from your IdP into policy evaluation. This integration is especially beneficial for contextualizing authorization decisions. For instance, role information such as ‘Admin’ and ‘User’ can be transmitted from Cognito to Verified Permissions. Such integration allows for nuanced access decisions in microservices based on roles and additional contextual data.