AWS Verified Permissions
AWS Verified Permissions is Amazon’s managed authorization service powered by Cedar. You write Cedar policies, store them in Verified Permissions, and call the IsAuthorized API to evaluate authorization decisions — without running Cedar evaluation infrastructure yourself.
What it adds over the Cedar SDK
- Policy store — policies are stored and versioned in AWS rather than in your own database.
- Managed evaluation — the IsAuthorized API endpoint handles evaluation at scale.
- Schema validation — schemas are stored in the policy store; policy edits are validated on upload.
- Audit logging — authorization decisions are sent to CloudWatch Logs automatically.
When to use it vs the raw SDK
| Verified Permissions | cedar-policy crate | |
|---|---|---|
| Policy storage | AWS-managed | Your database |
| Operational burden | Low | You manage parsing, caching, storage |
| Latency | Network call to AWS (~5-15ms) | In-process (~0.1ms) |
| Multi-service sharing | Easy (single policy store) | Requires your own distribution |
| Cost | Per-authorization-request pricing | Compute only |
For single-service applications, the cedar-policy crate with policies stored in Postgres is simpler and cheaper. Verified Permissions makes sense when multiple services need to share the same policy store, or when you want AWS to handle operational concerns.