AVP is a service for fine-grained, policy-based access control in AWS applications.
- Centralized Policy Management: Manage and enforce access policies centrally.
- Fine-Grained Control: Allows for permissions based on user attributes, resource types, and actions.
- Policy-Based Access Control (PBAC): Uses policies written in Cedar for flexible permission definitions.
- Integration: Works with Amazon Cognito and other OIDC-compatible identity providers.
This in an example of a policy for AVP:
new CfnPolicy(scope, "PromotionServicePolicy", {
definition: {
static: {
statement: `permit (
principal,
action in
[TenantServerlessSaaSAPI::Action::"delete /promotions/{id}",
TenantServerlessSaaSAPI::Action::"get /promotions",
TenantServerlessSaaSAPI::Action::"get /promotions/{id}",
resource
)
when { principal["custom:tenantTier"] == "premium" };`,
description: 'Access to promotion service for premium tier',
}
},
policyStoreId: policyStore.attrPolicyStoreId,
});Decision evaluation and enforcement
With AVP, these two tasks are left to the engineer. For example in a Lambda, someone can perform the following:
import boto3
def lambda_handler(event, context):
user = event['requestContext']['authorizer']['claims']
action = f"{event['httpMethod']} {event['resource']}"
avp_client = boto3.client('verifiedpermissions')
response = avp_client.is_authorized(
policy_store_id="your_policy_store_id",
principal={
"principalId": user['sub'],
"principalType": "User"
},
action=action,
resource="arn:aws:resource" # Specify your resource ARN
)
if response['decision'] != 'ALLOW':
return {
"statusCode": 403,
"body": "Unauthorized"
}
# other
Alternatives
A known alternative is Permit.io which Permit.io focuses on broader compatibility across infrastructures and different deployment models.