Skip to main content
This section walks you through deploying the AVP demo application to AWS. The deployment process involves creating a policy store in AWS Verified Permissions, deploying the backend infrastructure with SAM, and configuring the frontend.

Deployment Architecture

The demo application consists of three main components:
  • AWS Verified Permissions Policy Store: Central authorization engine with Cedar policies
  • Backend (SAM): API Gateway + Lambda functions for access checks and AI agent
  • Frontend: Static HTML files served locally that call the backend APIs
Browser (localhost:8000)

API Gateway (/prod)

Lambda Functions

AWS Verified Permissions

ALLOW / DENY

Prerequisites

Before you begin, ensure you have the following installed and configured:
1

Install AWS CLI v2+

aws --version
If not installed, follow the AWS CLI installation guide.
2

Install SAM CLI v1.130+

sam --version
Install via Homebrew:
brew install aws-sam-cli
Or follow the SAM CLI installation guide.
3

Install Python 3.11+

python3 --version
4

Configure AWS credentials

Verify your AWS CLI is authenticated:
aws sts get-caller-identity
You should see your account ID, user ARN, and user ID.

Cost Considerations

The Anthropic API has usage-based costs. For the AI agent feature, you need an account at console.anthropic.com with credits loaded (minimum $5).
Expected costs for the demo:
ComponentCostRequired For
AWS LambdaFree (Free Tier: 1M requests/month)All features
API GatewayFree (Free Tier: 1M calls/month)All features
AWS Verified Permissions~$0.00015 per 1,000 requestsAll features
Anthropic API~$0.25 per 1M tokens (Haiku)AI agent only
Main lab≈ $0.00index.html
Full lab with AI agent0.010.01 - 0.05 per sessionavp-agent.html
If you only want the main AVP lab without the AI agent, you can use placeholder for the AnthropicApiKey parameter. The index.html interface does not use the AI features.

Deployment Steps

The deployment process follows these steps:
1

Create Policy Store

Set up an empty policy store in AWS Verified Permissions with the schema that defines users, documents, and actions.Continue to Policy Store Setup →
2

Deploy with SAM

Use AWS SAM to build and deploy the Lambda functions and API Gateway.Continue to SAM Deployment →
3

Configure Frontend

Update the frontend HTML files with your API Gateway URL.Continue to Frontend Configuration →

What Gets Deployed

AWS Resources

  • API Gateway: REST API with CORS enabled for local development
  • 3 Lambda Functions:
    • avp-check-access: Verifies access using AVP’s IsAuthorized API
    • avp-get-users: Returns demo users and resources for the UI
    • avp-agent: AI agent that queries AVP via Anthropic’s Claude
  • IAM Roles: Automatically created with permissions for verifiedpermissions:IsAuthorized

Policy Store Components

  • Schema: Defines User, Document, and Role entity types with attributes
  • Policies: You’ll add Cedar policies interactively during the demo
  • No data stored: The policy store only contains policies, not actual user/document data

Region Selection

AWS Verified Permissions is not available in all regions. Recommended regions:
  • us-west-2 (Oregon)
  • us-east-1 (N. Virginia)
  • eu-west-1 (Ireland)
Verify AVP availability in your region on the AWS Regional Services page.

Next Steps

Ready to deploy? Start with creating the policy store:

Create Policy Store

Set up AWS Verified Permissions with the FinancialApp schema

Build docs developers (and LLMs) love

Get started for freeTalk to us