Your app grew from 3 users to 30,000. What started as a simple admin/user role check is now a 400-line jungle of nested if-statements. Your security team can't audit it. Your product manager can't understand it. And every new feature adds more spaghetti. Amazon built Cedar because they had the same problem — at AWS scale.
What Cedar Actually Does
Cedar is an open-source policy language and evaluation engine created by Amazon for fine-grained authorization. It's the engine powering Amazon Verified Permissions (AVP) and several AWS services. The key insight: authorization policies should be readable, analyzable, and mathematically verifiable — not buried in application code.
Cedar policies look almost like plain English. You express rules like "A User can view a Photo if they are in the Photo's viewer list, or if the Photo is public." The Cedar engine evaluates these policies in microseconds and provides formal verification tools to prove your policies are correct before you ship.
The Cedar SDK is available in Rust, Java, Python, JavaScript/TypeScript, and Go. The Rust core is open source (Apache 2.0). Amazon Verified Permissions provides a hosted version with a free tier: 1 million authorization requests per month free for 12 months.
Quick Start: Cedar Local SDK
Install the JavaScript Cedar WASM package — no AWS account needed:
npm install @cedar-policy/cedar-wasm
const { Authorizer, PolicySet } = require("@cedar-policy/cedar-wasm/nodejs");
const policiesStr = `
permit(
principal,
action in [Action::"View", Action::"Edit", Action::"Delete"],
resource
) when {
resource.owner == principal
};
permit(
principal,
action == Action::"View",
resource
) when {
principal in resource.viewers
};
`;
const policies = PolicySet.parse(policiesStr);
const authorizer = new Authorizer();
const request = {
principal: { type: "User", id: "alice" },
action: { type: "Action", id: "Edit" },
resource: { type: "Document", id: "doc-42" },
context: {}
};
const entitiesJson = [
{ uid: { type: "User", id: "alice" }, attrs: {}, parents: [] },
{
uid: { type: "Document", id: "doc-42" },
attrs: {
owner: { "__entity": { type: "User", id: "alice" } },
viewers: []
},
parents: []
}
];
const result = authorizer.isAuthorized(request, policies, entitiesJson);
console.log(result.decision); // "Allow"
Using Amazon Verified Permissions hosted API:
aws verifiedpermissions create-policy-store \
--validation-settings '{ "mode": "OFF" }' \
--region us-east-1
aws verifiedpermissions is-authorized \
--policy-store-id YOUR_STORE_ID \
--principal '{ "entityType": "User", "entityId": "alice" }' \
--action '{ "actionType": "Action", "actionId": "Edit" }' \
--resource '{ "entityType": "Document", "entityId": "doc-42" }'
3 Practical Use Cases
1. Document Sharing with Granular Permissions
Cedar shines at "Alice shared doc with Bob for read-only" patterns that are a nightmare with traditional RBAC:
permit(
principal,
action in [Action::"View", Action::"Edit", Action::"Delete"],
resource
) when {
resource.owner == principal
};
permit(
principal,
action == Action::"View",
resource
) when {
principal in resource.viewers
};
permit(
principal,
action == Action::"View",
resource
) when {
resource.isPublic
};
Three rules cover the entire document sharing model. Readable, auditable, correct.
2. Time-Based Access Control
Cedar supports context attributes, enabling time-based policies without any code changes:
aws verifiedpermissions is-authorized \
--policy-store-id YOUR_STORE_ID \
--principal '{ "entityType": "User", "entityId": "contractor-bob" }' \
--action '{ "actionType": "Action", "actionId": "AccessSystem" }' \
--resource '{ "entityType": "System", "entityId": "prod-db" }' \
--context '{
"contextMap": {
"currentTime": { "long": 1700000000 },
"contractExpiry": { "long": 1710000000 }
}
}'
Your Cedar policy: when { context.currentTime < context.contractExpiry }. Contractor access expires automatically — zero code changes.
3. Formal Verification Before Deploy
The killer feature: Cedar can prove your policies have no gaps or conflicts before you ship:
cargo install cedar-policy-cli
cedar authorize \
--policies policies.cedar \
--entities entities.json \
--principal 'User::"alice"' \
--action 'Action::"Delete"' \
--resource 'Document::"doc-1"'
cedar test --policies policies.cedar --test-file tests.cedartest
The analysis tool can answer: "Can a non-admin ever reach the admin endpoint?" — with a mathematical proof or a counterexample, not just passing tests.
Why This Matters
Cedar represents a fundamental shift in how we think about authorization. Traditional role checks are hidden in code, untestable in isolation, and impossible to audit without reading everything. Cedar policies are a first-class artifact: stored separately, version-controlled, reviewable by non-engineers, and formally verifiable.
For regulated industries — fintech, healthcare, legal tech — this is transformative. Your compliance team can read the actual policies. Your security team can run analysis tools. The fact that Amazon built Cedar for internal AWS use and then open-sourced it is a strong signal of its production-readiness.
Need custom data extraction or web scraping solutions? I build production-grade scrapers and data pipelines. Check out my Apify actors or email me at spinov001@gmail.com for custom projects.
Follow me for more free API discoveries every week!
Top comments (0)