Verified Access default context
AWS Verified Access includes some elements about the current HTTP request by default in all
Cedar evaluations regardless of your configured trust providers. When a policy is evaluated,
Verified Access includes data about the current HTTP request in the Cedar context under the
context.http_request key
. You can write a policy that evaluates against the
data if you choose. The following JSON schema
{
"title": "HTTP Request data included by Verified Access",
"type": "object",
"properties": {
"user_agent": {
"type": "string",
"description": "The value of the User-Agent request header"
},
"x_forwarded_for": {
"type": "string",
"description": "The value of the X-Forwarded-For request header"
},
"http_method": {
"type": "string",
"description": "The HTTP Method provided (e.g. GET or POST)"
},
"hostname": {
"type": "string",
"description": "The value of the Host request header"
},
"port": {
"type": "integer",
"description": "The value of the verified access endpoint port"
},
"client_ip": {
"type": "string",
"description": "User ip connecting to the verified access endpoint"
}
}
}
The following is an example of a policy that evaluates against the HTTP request data.
forbid(principal, action, resource) when {
context.http_request.http_method == "POST"
&& !(context.identity.roles.contains("Administrator"))
};