AWS re:Inforce 2024
Access Management Customer Use of Cedar Policy Verified Permissions Iam201

Title: AWS re:Inforce 2024 - Access management: Customer use of Cedar policy & Verified Permissions (IAM201)

Insights:

  • Introduction to Cedar Policy Language: Cedar is an open specification policy language designed for authorization, focusing on simplicity, expressiveness, safety, performance, and analyzability. It aims to centralize authorization rules across multiple applications, reducing complexity and improving auditability.
  • Amazon Verified Permissions: This hosted service stores and evaluates Cedar policies, providing a centralized solution for managing authorization across various applications. It helps in reducing costs, risks, and friction associated with decentralized authorization.
  • Customer Use Cases:
    • StrongDM: Implemented Cedar for fine-grained, real-time authorization within their proxy, achieving high performance and low latency. They highlighted Cedar's readability, performance, and machine reasoning capabilities.
    • Simply Business: Used Amazon Verified Permissions to centralize authorization at the API Gateway level, reducing redundancy and improving security. They leveraged policy templates and infrastructure as code to automate policy creation and management.
  • New Features and Integrations:
    • Quick Start Wizard: Allows users to secure API Gateway APIs without writing code, supporting tokens from any OIDC provider.
    • Partnerships: Collaborations with CyberArk, Okta, and Transmit Security to ensure compatibility and ease of integration with Amazon Verified Permissions.
  • Technical Implementation:
    • Lambda Authorizer: Used by Simply Business to invoke Amazon Verified Permissions for authorization decisions, improving efficiency and centralizing control.
    • Caching: Implemented at the API Gateway level to reduce latency and improve performance, with a significant percentage of calls being cached.
    • OIDC Support: Simplifies token validation and authorization by integrating directly with OIDC providers, reducing the need for custom logic in Lambda functions.

Quotes:

  • "Authorization is essentially the set of rules that describe what a user of an application is permitted to do and the enforcement of those rules."
  • "We wanted a policy language which is ergonomic, easy to understand, so it's comprehensible to non-technical folks, including auditors."
  • "CEDAR runs evaluations up to 60 times as fast as a Rego evaluation."
  • "Internally at StrongDM, we find that writing Cedar expressions gets us thinking in the right direction."
  • "With Amazon Verified Permissions, we have role-based access control on the gateway level, and we don't need to do it anymore on the resource server."
  • "The Quick Start Wizard allows you to secure API Gateway APIs without having to write any code."
  • "We partnered with CyberArk, Okta, and Transmit Security to ensure their identity provider works with this feature."

This document provides a comprehensive overview of the session, highlighting the key points and insights while including impactful quotes to emphasize the main ideas discussed.

Accelerating Privacy Security in Ai with Amazon Bedrock and Tines Tdr324 SAmazon Q Builder Securing Your Code Cfs224