Skip to main content
This demo was created for AWS Student Community Day Peru by Gerardo Castro, AWS Security Hero

What is this demo?

This is a hands-on demonstration of AWS Verified Permissions (AVP), a managed service that provides centralized, fine-grained authorization for your applications. The demo showcases how to implement Zero Trust access control using Cedar policy language, without requiring VPNs or complex infrastructure.

Zero Trust by default

All access is denied unless explicitly permitted by a Cedar policy. No implicit trust, no backdoors.

Real-time policy updates

Change authorization rules instantly without redeploying code or restarting services.

Attribute-based access control

Make decisions based on user attributes (department, clearance level) and resource properties (classification, owner).

AI-powered permissions

Includes an AI agent that queries AVP using natural language, demonstrating agentic authorization workflows.

Architecture overview

The demo uses a serverless architecture built with AWS SAM (Serverless Application Model): 
Browser (Frontend)

API Gateway

Lambda Functions:
  • /check-access → Calls AVP IsAuthorized API
  • /users        → Returns demo users and resources
  • /agent        → AI agent with Anthropic Claude

   AWS Verified Permissions

   Cedar Policies → ALLOW or DENY

Key components

Lambda Functions:
  • app.py - Verifies access requests using AVP’s IsAuthorized API
  • users.py - Helper function that returns demo users and resources for the UI
  • agent.py - AI agent that acts as a secure proxy to Anthropic’s API, with AVP tool integration
Frontend:
  • index.html - Main interactive lab for testing AVP policies
  • avp-agent.html - AI agent interface with natural language queries

What you’ll learn

Through this demo, you’ll understand:
  1. Zero Trust principles - How AVP enforces deny-by-default authorization
  2. Cedar policy language - Write human-readable policies that control access
  3. RBAC (Role-Based Access Control) - Use roles like Analyst, Admin, and Auditor
  4. ABAC (Attribute-Based Access Control) - Make decisions based on context like department matching
  5. Policy precedence - How forbid always wins over permit
  6. Agentic AI with authorization - How AI agents can securely query permission systems

Demo scenario

The demo simulates a financial application with three users:
  • Alice Garcia - Analyst in Finance department (clearance level 2)
  • Bob Torres - Admin in Finance department (clearance level 3)
  • Carol Mendez - Auditor in HR department (clearance level 1)
These users attempt to perform actions (Read, Edit, Delete) on three documents:
  • Q4-Report-2024 - Confidential Finance document
  • HR-Payroll-2024 - Restricted HR document
  • Sales-Dashboard - Internal Sales document
You’ll create Cedar policies that control who can access what, based on roles, departments, and clearance levels.

Cost considerations

The AI agent feature requires an Anthropic API key and will incur costs. The main AVP lab is essentially free within AWS Free Tier limits.
ComponentCostRequired for
AWS LambdaFree (Free Tier: 1M requests/month)All features
API GatewayFree (Free Tier: 1M calls/month)All features
AWS Verified Permissions~$0.00015 per 1,000 requestsAll features
Anthropic API~$0.25 per 1M tokens (Haiku)AI agent only
Main lab≈ $0.00index.html
With AI agent0.010.01 - 0.05 per sessionavp-agent.html
You can skip the AI agent portion by using placeholder as your Anthropic API key during deployment. The main AVP demo works without it.

Next steps

Check prerequisites

Ensure you have the required tools installed

Start the quickstart

Deploy the demo in under 15 minutes

Build docs developers (and LLMs) love

Get started for freeTalk to us