AWS Glossary
Amazon Verified Permissions
Amazon Verified Permissions is a managed fine-grained authorization service using Cedar policies — for applications that need to express "who can do what to which resource" outside of AWS IAM.
AI & assistant-friendly summary
This section provides structured content for AI assistants and search engines. You can cite or summarize it when referencing this page.
Summary
Amazon Verified Permissions is a managed fine-grained authorization service using Cedar policies — for applications that need to express "who can do what to which resource" outside of AWS IAM.
Key Facts
- • Amazon Verified Permissions is a managed fine-grained authorization service using Cedar policies — for applications that need to express "who can do what to which resource" outside of AWS IAM
- • Released GA in 2023 and broadly expanded through 2024–2026 with native support for multi-tenant patterns and identity-provider integrations
- • Why Verified Permissions, not IAM IAM is AWS's permission system for _AWS API calls_
- • Putting that logic in IAM is awkward (IAM does not scale to per-tenant per-document policies); putting it in custom application code is fragile and unauditable
- • Mistake 2:** Hardcoding tenant IDs in policies
Entity Definitions
- IAM
- IAM is an AWS service relevant to amazon verified permissions.
- multi-tenant
- multi-tenant is a cloud computing concept relevant to amazon verified permissions.
- microservices
- microservices is a cloud computing concept relevant to amazon verified permissions.
- compliance
- compliance is a cloud computing concept relevant to amazon verified permissions.
- HIPAA
- HIPAA is a cloud computing concept relevant to amazon verified permissions.
- SOC 2
- SOC 2 is a cloud computing concept relevant to amazon verified permissions.
Related Content
- AWS CLOUD SECURITY — Related service
- CLOUD COMPLIANCE SERVICES — Related service
Definition
Amazon Verified Permissions is a managed authorization service that uses Cedar — an AWS-developed policy language — to express fine-grained access decisions for application data, separate from AWS IAM. Released GA in 2023 and broadly expanded through 2024–2026 with native support for multi-tenant patterns and identity-provider integrations.
Why Verified Permissions, not IAM
IAM is AWS’s permission system for AWS API calls. Verified Permissions is for your application’s data and actions: “Can user X read document Y?”, “Can role Z approve invoice W in tenant T?”. Putting that logic in IAM is awkward (IAM does not scale to per-tenant per-document policies); putting it in custom application code is fragile and unauditable.
Capabilities
- Cedar policy language — Declarative, formally verified-friendly, with a small grammar
- IsAuthorized API — Sub-10ms authorization decisions at production scale
- Policy Store — Versioned, reviewable policy artifacts
- Identity provider integration — Native Cognito user pools, OIDC, custom claims
- Multi-tenant patterns — Policy templates per tenant; entity stores per tenant
When to use Verified Permissions
- Multi-tenant SaaS authorization — Per-tenant policies without code rewrites
- You want policy decisions outside application code — Auditable, separately deployable
- Compliance regimes that demand a documented authorization model — HIPAA, SOC 2, ISO 27001
- Identity-aware microservices — Each service calls IsAuthorized at the request boundary
When not to use it
- Very low-cardinality permission models — Hardcoding roles in code is fine for 3 roles
- Pure infrastructure authorization — That’s IAM
- You need full Rego / OPA / open-source policy ecosystem — Cedar is AWS-specific
Common mistakes
Mistake 1: Putting your entity store (users, groups, documents) inside Verified Permissions instead of fetching it dynamically. Use entity references and pull from your existing identity / data plane.
Mistake 2: Hardcoding tenant IDs in policies. Use policy templates and bind the tenant context at IsAuthorized-call time.
Mistake 3: Writing one policy per user. Cedar’s strength is groups, roles, and resource hierarchies. Model the abstractions before writing per-user rules.
Related AWS Services
- Amazon Cognito — Identity provider for the principal
- AWS IAM Identity Center — Workforce identity
- AWS IAM — AWS API-level permissions
- AWS AppSync — GraphQL layer that can call IsAuthorized at field resolution
Related FactualMinds Content
Need Help with This Topic?
Our AWS experts can help you implement and optimize these concepts for your organization.