Verified Access is in preview release and is subject to change.
Verified Access default context
AWS Verified Access includes some elements about the current HTTP request by default in all Cedar
evaluations regardless of your configured trust providers. When a policy is
evaluated, Verified Access includes data about the current HTTP request in the Cedar
context under the context.http_request key
. You can write a policy that
evaluates against the data if you choose. The following JSON schema
{
"title": "HTTP Request data included by Verified Access",
"type": "object",
"properties": {
"user_agent": {
"type": "string",
"description": "The value of the User-Agent request header"
},
"x_forwarded_for": {
"type": "string",
"description": "The value of the X-Forwarded-For request header"
},
"http_method": {
"type": "string",
"description": "The HTTP Method provided (e.g. GET or POST)"
},
"hostname": {
"type": "string",
"description": "The value of the Host request header"
},
}
}
The following is an example of a policy that evaluates against the HTTP request data.
forbid(principal, action, resource) when {
context.http_request.http_method == "POST"
&& !(context.identity.roles.contains("Administrator"))
};