AWS::VerifiedPermissions::PolicyStore
Creates a policy store. A policy store is a container for policy resources. You can create a separate policy store for each of your applications.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::VerifiedPermissions::PolicyStore", "Properties" : { "Description" :String, "Schema" :SchemaDefinition, "ValidationSettings" :ValidationSettings} }
YAML
Type: AWS::VerifiedPermissions::PolicyStore Properties: Description:StringSchema:SchemaDefinitionValidationSettings:ValidationSettings
Properties
Description-
Descriptive text that you can provide to help with identification of the current policy store.
Required: No
Type: String
Minimum:
0Maximum:
150Update requires: No interruption
Schema-
Creates or updates the policy schema in a policy store. Cedar can use the schema to validate any Cedar policies and policy templates submitted to the policy store. Any changes to the schema validate only policies and templates submitted after the schema change. Existing policies and templates are not re-evaluated against the changed schema. If you later update a policy, then it is evaluated against the new schema at that time.
Required: No
Type: SchemaDefinition
Update requires: No interruption
ValidationSettings-
Specifies the validation setting for this policy store.
Currently, the only valid and required value is
Mode.Important
We recommend that you turn on
STRICTmode only after you define a schema. If a schema doesn't exist, thenSTRICTmode causes any policy to fail validation, and Verified Permissions rejects the policy. You can turn off validation by using the UpdatePolicyStore. Then, when you have a schema defined, use UpdatePolicyStore again to turn validation back on.Required: Yes
Type: ValidationSettings
Update requires: No interruption
Return values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the unique id of the new or updated policy store. For
example:
{ "Ref": "PSEXAMPLEabcdefg111111" }
For more information about using the Ref function, see Ref.
Fn::GetAtt
The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.
For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.
Arn-
The Amazon Resource Name (ARN) of the new or updated policy store.
PolicyStoreId-
The unique ID of the new or updated policy store.
Examples
Creating a policy store with a schema and verification enabled
The following example creates a policy store that is configured with a schema and policy validation against that schema turned on.
JSON
{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "AWS CloudFormation sample template for creating a policy store for Verified Permissions.", "Resources": { "MyPolicyStore": { "Type": "AWS::VerifiedPermissions::PolicyStore", "Properties": { "Schema": { "CedarJson": "{\"PhotoApp\":{\"commonTypes\":{\"PersonType\":{\"type\":\"Record\",\"attributes\":{\"age\":{\"type\":\"Long\"},\"name\":{\"type\":\"String\"}}},\"ContextType\":{\"type\":\"Record\",\"attributes\":{\"ip\":{\"type\":\"Extension\",\"name\":\"ipaddr\",\"required\":false},\"authenticated\":{\"type\":\"Boolean\",\"required\":true}}}},\"entityTypes\":{\"User\":{\"shape\":{\"type\":\"Record\",\"attributes\":{\"userId\":{\"type\":\"String\"},\"personInformation\":{\"type\":\"PersonType\"}}},\"memberOfTypes\":[\"UserGroup\"]},\"UserGroup\":{\"shape\":{\"type\":\"Record\",\"attributes\":{}}},\"Photo\":{\"shape\":{\"type\":\"Record\",\"attributes\":{\"account\":{\"type\":\"Entity\",\"name\":\"Account\",\"required\":true},\"private\":{\"type\":\"Boolean\",\"required\":true}}},\"memberOfTypes\":[\"Album\",\"Account\"]},\"Album\":{\"shape\":{\"type\":\"Record\",\"attributes\":{}}},\"Account\":{\"shape\":{\"type\":\"Record\",\"attributes\":{}}}},\"actions\":{\"viewPhoto\":{\"appliesTo\":{\"principalTypes\":[\"User\",\"UserGroup\"],\"resourceTypes\":[\"Photo\"],\"context\":{\"type\":\"ContextType\"}}},\"createPhoto\":{\"appliesTo\":{\"principalTypes\":[\"User\",\"UserGroup\"],\"resourceTypes\":[\"Photo\"],\"context\":{\"type\":\"ContextType\"}}},\"listPhotos\":{\"appliesTo\":{\"principalTypes\":[\"User\",\"UserGroup\"],\"resourceTypes\":[\"Photo\"],\"context\":{\"type\":\"ContextType\"}}}}}}" }, "ValidationSettings": { "Mode": "STRICT" } } } } }
YAML
AWSTemplateFormatVersion: 2010-09-09 Description: >- Description": "AWS CloudFormation sample template for creating a policy store for Verified Permissions." Resources: MyPolicyStore: Type: AWS::VerifiedPermissions::PolicyStore Properties: Schema: CedarJson: '{"PhotoApp":{"commonTypes":{"PersonType":{"type":"Record","attributes":{"age":{"type":"Long"},"name":{"type":"String"}}},"ContextType":{"type":"Record","attributes":{"ip":{"type":"Extension","name":"ipaddr","required":false},"authenticated":{"type":"Boolean","required":true}}}},"entityTypes":{"User":{"shape":{"type":"Record","attributes":{"userId":{"type":"String"},"personInformation":{"type":"PersonType"}}},"memberOfTypes":["UserGroup"]},"UserGroup":{"shape":{"type":"Record","attributes":{}}},"Photo":{"shape":{"type":"Record","attributes":{"account":{"type":"Entity","name":"Account","required":true},"private":{"type":"Boolean","required":true}}},"memberOfTypes":["Album","Account"]},"Album":{"shape":{"type":"Record","attributes":{}}},"Account":{"shape":{"type":"Record","attributes":{}}}},"actions":{"viewPhoto":{"appliesTo":{"principalTypes":["User","UserGroup"],"resourceTypes":["Photo"],"context":{"type":"ContextType"}}},"createPhoto":{"appliesTo":{"principalTypes":["User","UserGroup"],"resourceTypes":["Photo"],"context":{"type":"ContextType"}}},"listPhotos":{"appliesTo":{"principalTypes":["User","UserGroup"],"resourceTypes":["Photo"],"context":{"type":"ContextType"}}}}}}' ValidationSettings: Mode: STRICT
