Amazon Verified Permissions for fine-grained authorization for applications | Amazon Web Services
ฝัง
- เผยแพร่เมื่อ 3 ส.ค. 2023
- Amazon Verified Permissions is a service for fine-grained authorization and permissions management for applications that you build. Verified Permissions is designed for high availability and scalability as it continually evaluates authorization decisions. Use Verified Permissions to decouple permissions from your application logic, and build more secure applications faster with centralized policy stores, reusable policy templates, and policy testing. You can manage application permissions and control access in your application using your existing identity provider that manages users and groups.
With Verified Permissions, you can deliver secure delegated authorization to application resources and implement continual identity-based authorization in applications, a core principle of Zero Trust architecture. An integration with AWS CloudTrail records all access requests, helping security and audit teams better assess and audit who has accessed what in applications.
Learn more at: go.aws/45e3TpZ
Subscribe:
More AWS videos: go.aws/3m5yEMW
More AWS events videos: go.aws/3ZHq4BK
Do you have technical AWS questions?
Ask the community of experts on AWS re:Post: go.aws/3lPaoPb
ABOUT AWS
Amazon Web Services (AWS) is the world’s most comprehensive and broadly adopted cloud platform, offering over 200 fully featured services from data centers globally. Millions of customers - including the fastest-growing startups, largest enterprises, and leading government agencies - are using AWS to lower costs, become more agile, and innovate faster.
#AmazonVerifiedPermissions #IdentityandAccessManagement #ProtectApplicationResources #PrincipleOfLeastPrivilege #SimplifyComplianceAuditsAtScale #ZeroTrust #AWSSecurityServicesFeatureDemos #AWS #AmazonWebServices #CloudComputing - วิทยาศาสตร์และเทคโนโลยี
This article provides valuable insights, but it doesn't clarify what is "MyApplication" in the policy or how the Actions are associated with the endpoint and how resources are specified.
MyApplication is whatever application you're working on which requires restricting access to endpoints depending on who's calling them. Specifically, in the policy, it is the "namespace" of the schema.
The Actions are associated with the endpoint by your mind. There's no reason why you can't say that the Action name is something like `GET /books`. That said, typically, endpoints have a human-readable name (In an OpenAPI swagger file it would be the OperationId). You can use that human readable name as your cedar action name too.
How resources are specified is up to you. You can decide that when they call `GET /books/{bookId}` the resource is of type Book. Then you fetch it from the DB by its bookId and you send it to AVP as a resource of type Book, with whatever id it had.
Hope that helps.
Please can you guys make a tutorial video on how to "use scripts to bulk migrate policies to use fine-grained IAM actions" this is really complex for a non technical person. Alternatively, please you can also refer where to get experts who can help with this migration. Thanks. Your reply will be appreciated.
Thanks for the awesome demo, this will be going to be a beneficial service in the future. I have a minor query that I did not understand. How is the mapping done between the application (Lambda as per this demo) and verified permissions service with respect to the action (defined in policy store) like MyApplication::Action:: "SearchPets" or MyApplication::Action:: "PlaceOrder"? What is this SearchPets or PlaceOrders in the application? Is that path parameter or query parameter of APIs defined in the application or something else? I think you should have covered or explained that as well in the demo.
Hi there. This doc should help clarify Verified Permissions for you: go.aws/3qrqL6C. 🔖 For further help, you can also reach out to our devs and experts in re:Post: go.aws/aws-repost. 👨💻 ^RS
Price is super high for this service. $150/million requests 🙄🙄🙄
There is no minimum number of requests that a customer must make to use Amazon Verified Permissions. For example, if your application makes 1000 authorization requests, then you are charged for 1000 requests ($150 / 1000 requests = $0.15).
My exact thought. I've always dreamed about having an AWS IAM-like authorization solution but with many actions per user per day this solution is pretty much out of reach. It's really nice they open-sourced Cedar though. Also very nice video!
@@ee7keelt Yeah, seeing that it's $0.15 per 1000 requests... that definitely seems expensive and out of budget for non-enterprise. If I have my math right, the way I view it is relative to the price per million API Gateway, Lambda, and Cognito requests is pretty low. Adding this makes it suddenly very expensive much earlier.
.... but it's probably more convenient than deploying Open Policy Agent so there's that