Policy statement structure

This section describes the AWS Verified Access policy statement and how it is evaluated. You can have multiple statements in a single Verified Access policy. The following diagram shows the structure of a Verified Access policy.

The policy contains the following parts:

Effect – Specifies whether the policy statement is permit (Allow) or forbid (Deny).
Scope – Specifies the principals, actions, and resources to which the effect applies. You can leave the scope in Cedar undefined by not identifying specific principals, actions, or resources (as shown in the preceding example). In this case, the policy applies to all possible principals, actions, and resources.
Condition clause – Specifies the context in which the effect applies.

Important

For Verified Access, policies are fully expressed by referring to trust context in the condition clause. The policy scope must always be kept undefined. You can then specify access using identity and device trust context in the condition clause.

Simple policy example


permit(principal,action,resource)
when{
 context.<policy-reference-name>.<attribute> &&
 context.<policy-reference-name>.<attribute2>
};

In the preceding example, note that you can use more than one condition clause in a policy statement using the && operator. The Cedar policy language gives you expressive power to create policy statements that are custom, fine-grained, and extensive. For additional examples, see Example policies.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Work with policies

Policy evaluation