Cedar Policy Language Overview
Cedar is a policy language developed by AWS for defining fine-grained permissions. It’s used by AWS Verified Permissions to implement authorization logic that’s separate from your application code.What is Cedar?
Cedar is a declarative, human-readable policy language that lets you define authorization rules using a simple syntax. Policies in Cedar are evaluated to determine whether a principal (user) can perform an action on a resource.Key Features
- Human-readable syntax - Policies are easy to read and understand
- Strongly typed - Schema validation ensures policy correctness
- Composable - Multiple policies can work together
- Analysis tools - Built-in validation and testing capabilities
- Open source - Available on GitHub
Basic Policy Structure
Every Cedar policy follows this basic structure:Components
Effect
Either
permit or forbid - determines whether the policy allows or denies accessPrincipal
The entity performing the action (e.g., a User)
Action
The operation being performed (e.g., Read, Edit, Delete)
Resource
The entity being accessed (e.g., a Document)
Conditions
Optional conditions using
when or unless clausesYour First Cedar Policy
Here’s a simple policy that allows all Analysts to read documents:- Effect:
permit(allow access) - Principal: Any user who is a member of the Analyst role
- Action: Must be the Read action
- Resource: Any resource (no restrictions)
Policy Effects: Permit vs Forbid
Cedar supports two policy effects:- permit
- forbid
permit policy explicitly allows access. Multiple permit policies can apply - if any permit policy matches and no forbid policy matches, access is granted.Conditions: When and Unless
You can add conditions to policies usingwhen and unless clauses:
When Clause
The policy applies only if the condition is true:Unless Clause
The policy applies only if the condition is false:Operators and Comparisons
Cedar supports various operators for building conditions:| Operator | Description | Example | ||||
|---|---|---|---|---|---|---|
== | Equality | principal.department == "Finance" | ||||
!= | Inequality | resource.status != "archived" | ||||
<, <=, >, >= | Comparison | principal.clearance_level >= 3 | ||||
in | Membership | principal in FinancialApp::Role::"Admin" | ||||
has | Attribute presence | principal has email | ||||
&& | Logical AND | condition1 && condition2 | ||||
| ` | ` | Logical OR | `condition1 | condition2` | ||
! | Logical NOT | !condition |
Decision Logic
AWS Verified Permissions evaluates all policies and makes a decision using this logic:Policy Sets
In a real application, you’ll have multiple policies working together:Best Practices
Start with deny by default
Start with deny by default
AWS Verified Permissions denies access by default. Only write permit policies for allowed actions. This follows the Zero Trust security model.
Use descriptive policy names
Use descriptive policy names
Name policies clearly:
AllowAnalystReadOwnDepartment is better than Policy1.Keep policies simple
Keep policies simple
Each policy should express one clear authorization rule. Complex logic should be split into multiple policies.
Use when clauses for ABAC
Use when clauses for ABAC
Leverage attribute-based access control with
when clauses to create dynamic, context-aware policies.Test your policies
Test your policies
Use the Cedar Playground or AVP console to test policies before deploying to production.
Next Steps
Schema Definition
Learn about the FinancialApp schema with entity types and actions
Policy Examples
See real-world Cedar policies from the demo scenarios
RBAC vs ABAC
Understand role-based and attribute-based access control patterns
Cedar Playground
Practice writing Cedar policies in your browser