Verified Access policy logic short-circuiting - AWS Verified Access

Verified Access policy logic short-circuiting

You might want to write an AWS Verified Access policy that evaluates data that may or may not be present in a given context. If you reference data in a context that does not exist, Cedar will produce an error and evaluate the policy to deny access, regardless of your intent. For example, this would result in a deny, as fake_provider and bogus_key do not exist in this context.

permit(principal, action, resource) when { context.fake_provider.bogus_key > 42 };

To avoid this situation, you can check to see if a key is present by using the has operator. If the has operator returns false, further evaluation of the chained statement halts, and Cedar does not produce an error attempting to reference an item that does not exist.

permit(principal, action, resource) when { context.identity.user has "some_key" && context.identity.user.some_key > 42 };

This is most useful when specifying a policy that references two different trust providers.

permit(principal, action, resource) when { // user is in an allowed group context.aws_idc.groups has "c242c5b0-6081-1845-6fa8-6e0d9513c107" &&( ( // if CrowdStrike data is present, // permit if CrowdStrike's overall assessment is over 50 context has "crowdstrike" && context.crowdstrike.assessment.overall > 50 ) || ( // if Jamf data is present, // permit if Jamf's risk score is acceptable context has "jamf" && ["LOW", "NOT_APPLICABLE", "MEDIUM", "SECURE"].contains(context.jamf.risk) ) ) };