Amazon Verified Permissions¶

What Is Amazon Verified Permissions?¶

Amazon Verified Permissions is a managed authorization service that centralizes fine-grained access control for applications.

It evaluates:

users
groups
resources
roles
application policies

to answer:

Should this action be allowed?

Think of Verified Permissions as:

Centralized authorization for applications.

Why It Matters for Security¶

Verified Permissions helps organizations:

centralize authorization logic
eliminate hardcoded permissions
enforce least privilege
simplify governance
scale application permissions

Security teams use it for:

fine-grained authorization
RBAC
ABAC
SaaS authorization
multi-tenant environments

Core Concepts¶

authorization service
policy evaluation
externalized authorization
centralized governance
fine-grained permissions
application authorization

Important Integrations¶

Amazon Cognito¶

Common identity source.

Provides:

authenticated users
user claims

External Identity Providers¶

Supports:

OIDC
SAML

Examples:

Okta
Entra ID

Application Backends¶

Applications submit:

User
+
Action
+
Resource

for authorization decisions.

Cedar Policy Language¶

Verified Permissions uses:

Cedar

Very important service identity.

AWS CloudTrail¶

Supports:

authorization auditing
compliance logging
decision tracking

Security Features¶

Fine-Grained Authorization¶

Access decisions may evaluate:

user
role
resource
attributes
application context

Example:

User
can
Edit
Document

Externalized Authorization¶

Move authorization out of application code.

Instead of:

if user.role == admin

Use:

Application
↓
Verified Permissions
↓
Decision

Very important modernization pattern.

RBAC and ABAC¶

Supports:

Role-Based Access Control¶

Example:

Editor
↓
Edit Documents

Attribute-Based Access Control¶

Example:

Department=Finance
AND
Region=London

Centralized Governance¶

Policies are:

reusable
centrally managed
easier to audit

Advanced Security and Operational Concepts¶

Policy Stores¶

Policies live inside:

→ Policy Store

A Policy Store provides:

logical isolation
application authorization boundary

Pattern:

Application
↓
Policy Store
↓
Policies
↓
Decision

Very important architecture concept.

Schema Validation¶

Before creating policies:

define:

entities
actions
attributes

Example:

User
Document
Action

Benefits:

validation before deployment
reduced runtime errors

Policy Templates¶

Reusable authorization logic.

Instead of:

UserA → View ResourceA

UserB → View ResourceB

Create:

?principal
can
View
?resource

Instantiate dynamically.

Useful for:

SaaS
multi-tenant systems
scale

Very important authorization capability.

IsAuthorizedWithToken API¶

Applications request authorization decisions.

Pattern:

Application
↓
JWT
↓
Verified Permissions
↓
Decision

Supports:

Cognito
OIDC

Benefits:

automatic claim evaluation
simplified authorization

Very important integration.

Authorization Auditing¶

Verified Permissions can record:

Permit
Deny
policy evaluations

Destination:

CloudTrail

Supports:

compliance
investigations
governance

Architecture Example¶

Centralized Authorization Platform¶

flowchart LR

USER[Authenticated User]

IDP[Identity Provider]

APP[Application]

AVP[Verified Permissions]

STORE[Policy Store]

CEDAR[Cedar Policies]

RESOURCE[Protected Resource]

USER --> IDP

IDP --> APP

APP --> AVP

STORE --> AVP

CEDAR --> STORE

AVP --> RESOURCE

classDef access fill:#e3f2fd,stroke:#1565c0,color:#0d47a1;
classDef security fill:#e8f5e9,stroke:#2e7d32,color:#1b5e20;

class USER,APP,RESOURCE access;
class IDP,AVP,STORE,CEDAR security;

Use case: centralized authorization across multiple applications.

Authorization Workflow¶

sequenceDiagram

autonumber

participant USER

participant APP

participant AVP as Verified Permissions

participant POLICY

USER->>APP: Request action

APP->>AVP: IsAuthorized()

AVP->>POLICY: Evaluate Cedar rules

alt Permit

POLICY-->>AVP: Allow

AVP-->>APP: Authorized

APP-->>USER: Success

else Deny

POLICY-->>AVP: Reject

AVP-->>APP: Denied

APP-->>USER: Access denied

end

Use case: application-level authorization decision flow.

Verified Permissions vs IAM¶

Verified Permissions	IAM
application authorization	AWS authorization
business permissions	infrastructure permissions
application resources	AWS resources

Use Verified Permissions when:

controlling app behavior

Use IAM when:

controlling AWS access

Verified Permissions vs Cognito¶

Verified Permissions	Cognito
authorization	authentication
policy decisions	identity management

Relationship:

Authenticate
↓
Cognito

Authorize
↓
Verified Permissions

Very important distinction.

Verified Permissions vs IAM Identity Center¶

Verified Permissions	Identity Center
app permissions	workforce identity
authorization	SSO

Common Exam Traps¶

Trap 1 — Confusing Authentication and Authorization¶

Authentication:

→ Who are you?

Authorization:

→ What can you do?

Trap 2 — Assuming Verified Permissions Replaces IAM¶

IAM:

AWS permissions

Verified Permissions:

application permissions

Trap 3 — Forgetting Cedar¶

Policies use:

→ Cedar

Trap 4 — Forgetting Policy Stores¶

Policies belong inside:

→ Policy Store

Trap 5 — Assuming Policies Scale Individually¶

Use:

→ Policy Templates

Trap 6 — Assuming AVP Stores Identities¶

Identity providers:

authenticate

AVP:

evaluates

Trap 7 — Forgetting Authorization Auditing¶

Need decision traceability?

→ CloudTrail

5-Second Recall¶

Identity¶

Verified Permissions = centralized application authorization

Keywords¶

If the scenario mentions:

fine-grained authorization
application permissions
RBAC
ABAC
policy decisions

Answer:

→ Amazon Verified Permissions

Need Authentication?¶

→ Cognito

Need AWS Authorization?¶

→ IAM

Need Scalable Authorization?¶

→ Policy Templates

Need Authorization API?¶

→ IsAuthorizedWithToken

Need Decision Auditing?¶

→ CloudTrail

Quick Revision Notes¶

authorization service
uses Cedar
Policy Stores
Schema validation
Policy Templates
IsAuthorizedWithToken
supports RBAC
supports ABAC
integrates with Cognito
integrates with CloudTrail
centralized governance
not authentication
not IAM replacement