Distributed PDP with PEPs on APIs - AWS Prescriptive Guidance

Distributed PDP with PEPs on APIs

The distributed policy decision point (PDP) with policy enforcement points (PEPs) on APIs model follows industry best practices to create an effective system for API access control and authorization. As with the centralized PDP with PEPs on APIs model, this approach supports the following key principles:

  • Authorization and API access control are applied at multiple points in the application.

  • Authorization logic is independent of the application.

  • Access control decisions are centralized.

You might wonder why access control decisions are centralized when the PDP is distributed. Although the PDP might exist in multiple places in an application, it must use the same authorization logic to make access control decisions. All PDPs provide the same access control decisions given the same inputs. PEPs are implemented at all APIs to make authorization requests to a PDP.

In this approach, PDPs are implemented in multiple places in the application. For application components that have onboard compute capabilities that can run OPA and support a PDP, such as a containerized service with a sidecar or an Amazon Elastic Compute Cloud (Amazon EC2) instance, PDP decisions can be integrated directly into the application component without having to make a RESTful API call to a centralized PDP service. This has the benefit of reducing the latency that you might encounter in the centralized PDP model, because not every application component has to make additional API calls to obtain authorization decisions. However, a centralized PDP is still necessary in this model for application components that do not have onboard compute capabilities that enable direct integration of a PDP—such as the Amazon CloudFront or Amazon API Gateway services. The following diagram shows how this combination of a centralized PDP and a distributed PDP can be implemented in a hypothetical multi-tenant SaaS application.

A sample multi-tenant SaaS application that uses a distributed PDP with PEPs on APIs

Application flow:

Application flow - step 1

An authenticated user with a JWT token generates an HTTP request to Amazon CloudFront.
Application flow - step 2

CloudFront forwards the request to Amazon API Gateway configured as a CloudFront origin.
Application flow - step 3

An API Gateway Lambda authorizer is called to verify the JWT token.
Application flow - step 4

Microservices respond to request.

Authorization and API access control flow:

Authorization flow - step 1

The PEP calls the authorization service and passes request data, including any JWT tokens.
Authorization flow - step 2

The authorization service (PDP) takes the request data and queries an OPA agent REST API running as a sidecar, with the request data serving as an input to the query.
Authorization flow - step 3

OPA evaluates the input based on the relevant policies specified by the query. Data is imported to make an authorization decision if necessary.
Authorization flow - step 4

OPA returns a decision to the authorization service.
Authorization flow - step 5

The authorization decision to returned to the PEP and evaluated.

In this architecture, PEPs request authorization decisions at the service endpoints for CloudFront and API Gateway, and for each microservice. The authorization decision for microservices is made by an authorization service (the PDP) that operates as a sidecar with the application component. This model is possible for microservices (or services) that run on containers or EC2 instances. Authorization decisions for services such as API Gateway and CloudFront would still require contacting an external authorization service. Regardless, the authorization service exposes an API that is available to PEPs. Having the authorization service act as an intermediary between PEPs and OPA allows for the insertion of any transformation logic between PEPs and OPA that might be necessary—for example, when the authorization request from a PEP doesn’t conform to the query input expected by OPA.

You can also use this architecture with custom policy engines. However, any advantages gained from OPA must be replaced with logic provided by the custom policy engine.

A distributed PDP with PEPs on APIs provides an option to create a robust authorization system for APIs. It’s simple to implement and provides an easy-to-use idempotent interface for making authorization decisions for APIs, microservices, Backend for Frontend (BFF) layers, or other application components. This approach also has the advantage of reducing the latency that you might encounter in the centralized PDP model.