Verified Access policy statement structure
This section describes the AWS Verified Access policy statement and how it is evaluated. You can have multiple statements in a single Verified Access policy. The following diagram shows the structure of a Verified Access policy.
The policy contains the following parts:
-
Effect – Specifies whether the policy statement is
permit
(Allow
) orforbid
(Deny
). -
Scope – Specifies the principals, actions, and resources to which the effect applies. You can leave the scope in Cedar undefined by not identifying specific principals, actions, or resources (as shown in the preceding example). In this case, the policy applies to all possible principals, actions, and resources.
-
Condition clause – Specifies the context in which the effect applies.
Important
For Verified Access, policies are fully expressed by referring to trust data in the condition clause. The policy scope must always be kept undefined. You can then specify access using identity and device trust context in the condition clause.
Simple policy example
permit(principal,action,resource)
when{
context.<policy-reference-name>.<attribute> &&
context.<policy-reference-name>.<attribute2>
};
In the preceding example, note that you can use more than one condition clause in a policy
statement using the &&
operator. The Cedar policy language gives you
expressive power to create policy statements that are custom, fine-grained, and extensive. For
additional examples, see Verified Access example policies.