Using a centralized PDP with PEPs on APIs Using the Cedar SDK

Design models for Amazon Verified Permissions

Using a centralized PDP with PEPs on APIs

The centralized policy decision point (PDP) with policy enforcement points (PEPs) on APIs model follows industry best practices to create an effective and easily maintained system for API access control and authorization. This approach supports several key principles:

Authorization and API access control are applied at multiple points in the application.
Authorization logic is independent of the application.
Access control decisions are centralized.

Using a centralized PDP with PEPs on APIs

Application flow (illustrated with blue numbered callouts in the diagram):

An authenticated user with a JSON Web Token (JWT) generates an HTTP request to Amazon CloudFront.
CloudFront forwards the request to Amazon API Gateway, which is configured as a CloudFront origin.
An API Gateway custom authorizer is called to verify the JWT.
Microservices respond to the request.

Authorization and API access control flow (illustrated with red numbered callouts in the diagram):

The PEP calls the authorization service and passes request data, including any JWTs.
The authorization service (PDP), in this case Verified Permissions, uses the request data as query input and evaluates it based on the relevant policies specified by the query.
The authorization decision is returned to the PEP and evaluated.

This model uses a centralized PDP to make authorization decisions. PEPs are implemented at different points to make authorization requests to the PDP. The following diagram shows how you can implement this model in a hypothetical multi-tenant SaaS application.

In this architecture, PEPs request authorization decisions at the service endpoints for Amazon CloudFront and Amazon API Gateway and for each microservice. The authorization decision is made by the authorization service, Amazon Verified Permissions (the PDP). Because Verified Permissions is a fully managed service, you don't have to manage the underlying infrastructure. You can interact with Verified Permissions by using a RESTful API or the AWS SDK.

You can also use this architecture with custom policy engines. However, any advantages gained from Verified Permissions must be replaced with logic that's provided by the custom policy engine.

A centralized PDP with PEPs on APIs provides an easy option to create a robust authorization system for APIs. This simplifies the authorization process and also provides an easy-to-use, repeatable interface for making authorization decisions for APIs, microservices, Backend for Frontend (BFF) layers, or other application components.

Using the Cedar SDK

Amazon Verified Permissions uses the Cedar language to manage fine-grained permissions in your custom applications. With Verified Permissions, you can store Cedar policies in a central location, take advantage of low latency with millisecond processing, and audit permissions across different applications. You can also optionally integrate the Cedar SDK directly into your application to provide authorization decisions without using Verified Permissions. This option requires additional custom application development to manage and store policies for your use case. However, it can be a viable alternative, particularly in cases where access to Verified Permissions is intermittent or not possible because of inconsistent internet connectivity.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Design models for multi-tenant SaaS architectures

Using OPA