AWS re:Invent 2023
Build Verifiable and Effective Application Authorization in 40 Minutes Boa209

Title

AWS re:Invent 2023 - Build verifiable and effective application authorization in 40 minutes (BOA209)

Summary

  • The session was presented by Daniel, an AWS Community Builder and early adopter of Amazon Verified Permissions and CEDAR, and Wojciech (Wojtek), an AWS Developer Advocate.
  • The focus was on application authorization (AUTZ), assuming authentication is already handled.
  • A poll was conducted to understand the complexity of the audience's current authorization systems, with most using role-based access control (RBAC).
  • The importance of permissions in applications and the challenges of managing them were discussed.
  • Different authorization models were covered, including RBAC, attribute-based access control (ABAC), and policy-based authorization.
  • Amazon Verified Permissions, a fully managed service for authorization, was introduced.
  • CEDAR, an open-source policy language and evaluation engine, was explained.
  • A use case of a simple bookstore app was presented, with authentication handled by Amazon Cognito.
  • The app's architecture included a front-end, REST API, AWS Lambda, and Amazon Verified Permissions for authorization.
  • Several authorization scenarios were implemented live, including basic RBAC, context-specific access control, ABAC for loyal customers, and granular access for publishers.
  • The session concluded with a discussion on lock-in, auditability, pricing, and resources for further learning.

Insights

  • Amazon Verified Permissions is designed to handle custom application logic and permissions, offloading complexity from developers.
  • CEDAR allows for expressive and readable policy definitions, which can be managed and audited within Amazon Verified Permissions.
  • The session demonstrated how to implement various authorization controls, including RBAC, ABAC, and context-based access control, using Amazon Verified Permissions and CEDAR.
  • The use of AWS CloudTrail with Amazon Verified Permissions enables auditing of all API calls related to policy management and authorization decisions.
  • Pricing considerations for Amazon Verified Permissions include management costs for policy operations and authorization costs for API calls.
  • The session highlighted the flexibility of CEDAR, allowing for potential migration from Amazon Verified Permissions to a self-hosted solution if needed.
  • The presenters provided resources for attendees to explore Amazon Verified Permissions and CEDAR further, including a GitHub repository, a CLI tool, a workshop, blog posts, and AWS re:Invent sessions.
Build Secure Applications on Aws the Well Architected Way Sec219Build with the Efficiency Agility Innovation of the Cloud with Aws Stg103