Amazon Verified Permissions centralizes user permissions in a policy store, which developers can then use to authorize those users to perform certain actions in their applications.
According to Amazon, this felt like a necessary feature to create because of the significant effort required to implement authentication in an application. Typically, the logic for authorization happens within code, but it becomes increasingly complex as the number of users and permissions grows and changes.
For example, one user may need to share a document with someone in a different role, or a support agent might need to have temporary access to a customer account in order to help them resolve an issue.
“Managing permissions in code is prone to errors, and presents significant challenges when auditing permissions and deciding who has access to what, particularly when these permissions are expressed in different applications and using multiple programming languages,” Danilo Poccia, chief evangelist at AWS, wrote in a blog post.
Under the hood, Amazon Verified Permissions uses Cedar, which is an open-source project from Amazon for managing access control. Developers can define an authorization model schema that outlines principal types, resource types, and valid actions. Then, when policies are created, they are verified against this authorization model.
Any changes made to the policy store are tracked so that it’s possible to see who made the change and when.
Applications can be connected to this service via AWS SDKs, and each authorization request results in retrieval of the relevant policies to determine if a user action is allowed.
The feature was first introduced in preview during re:Invent 2022, and is now generally available.