AWS re:Invent 2022
New Use Policies to Manage Permissions Wamazon Verified Permissions Sec335

Title

AWS re:Invent 2022 - [NEW] Use policies to manage permissions w/Amazon Verified Permissions (SEC335)

Summary

  • Amazon Verified Permissions (AVP) is a new service launched in Gated Preview at AWS re:Invent 2022.
  • Julian Lovelock, the product manager, introduced AVP and explained its purpose in managing application permissions.
  • AVP supports Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC).
  • The service aims to simplify permissions management, making it easier to read, audit, and change permissions without altering application code.
  • AVP stores permissions as policies and evaluates user actions against these policies in milliseconds.
  • Mahmoud Matouk, a solutions architect, demonstrated how to integrate AVP with applications, including creating policy stores, adding policies, and using a simulator for testing.
  • Amina, a senior principal applied scientist, delved into the Cedar policy language, emphasizing its design for expressiveness, performance, and analyzability.
  • Cedar allows custom data types, hierarchies, and attributes, and supports JSON-like structures.
  • Policies in Cedar are structured with an RBAC rule followed by ABAC conditions for readability and performance.
  • Cedar's engine is built in Rust for speed and memory efficiency, with a formal executable specification in Daphne for correctness.
  • Static analysis tools are provided for policy validation and advanced analyses like satisfiability modular theories (SMT) solving.

Insights

  • AVP addresses the complexity and challenges of permissions management within applications by providing a managed service for authorization.
  • The separation of permissions logic from application code is a significant advantage, as it allows for easier management and auditing of permissions without the need for code changes.
  • The Cedar policy language is designed to be both human-readable and machine-analyzable, which is crucial for both developers and auditors.
  • The use of Rust for the Cedar engine suggests a focus on performance and safety, which is essential for authorization systems that need to be both fast and reliable.
  • The introduction of advanced static analysis tools indicates AWS's commitment to providing robust tools for policy authoring and verification, reducing the risk of security flaws in permissions policies.
  • The gated preview of AVP suggests that AWS is seeking early feedback and use cases from customers to refine the service before a wider release.
New Scaling Network Performance on Next Gen Amazon Ec2 Instances Cmp333New Visibility into How Internet Issues Impact App Performance Cop345