Appendix A. End-to-end example with Amazon Verified Permissions
To run the ACME “Customer Collaboration” example introduced in Chapter 9 on Amazon Verified Permissions (AVP, at https://aws.amazon.com/verified-permissions/), follow the instructions in this appendix. They will help you create a policy store, load a Cedar schema, add policies, and call is-authorized to determine allow or deny decisions. You only need the AWS CLI (v2) and an AWS account.
AVP is a fully managed authorization service that evaluates Cedar policies in the cloud. Instead of hosting our own policy engine, we upload a schema and policies to an AVP policy store and then send authorization requests through an API. AVP verifies policies against the schema in strict mode, evaluates requests in real time, and returns a single allow or deny decision along with the policies that caused it. This simplifies experimenting with Cedar and running production workloads without needing to set up infrastructure, while still using the same policy language and models discussed throughout the book.
Note
The schema and policies used here are available as a GitHub repository at https://github.com/windley/acme-cedar-demo. The repository also includes a Jupyter Notebook for running through the examples in this appendix.