AccueilGlossaire › Cedar (AWS Policy Language)

Cedar (AWS Policy Language)

Sécurité

Langage de policies AWS pour authorization fine-grained, alternative à Rego/OPA.

Cedar est le langage de policies open source AWS pour authorization fine-grained, lancé en 2023. Conçu être simple à lire/écrire, formellement vérifiable (mathematical guarantees), et performant. Utilisé par Amazon Verified Permissions service AWS et adoptable standalone.

Design principles :
(1) **Easy to read** — sentence-like syntax intuitive.
(2) **Formal verification** — math proofs that policies do what they say, no surprises.
(3) **Fast evaluation** — millions evaluations per second per node.
(4) **Schema-based** — typed entities catch errors.
(5) **Policy validation** — analyze pour over-permissive ou never-allows.

Exemple Cedar policy :
```cedar
permit (
principal == User::"alice",
action == Action::"viewPhoto",
resource == Photo::"vacation.jpg"
);

permit (
principal in Group::"admins",
action,
resource
);

permit (
principal,
action == Action::"viewDocument",
resource
) when {
resource.owner == principal
&& context.mfa == true
};
```

Concepts :
(1) **Principals** — who (users, groups, services).
(2) **Actions** — what (read, write, delete).
(3) **Resources** — on what (documents, photos, accounts).
(4) **Context** — additional info (time, IP, MFA status).
(5) **Policy effect** — permit ou forbid.
(6) **Conditions** — when clauses.

Use cases :
(1) **Amazon Verified Permissions** — managed service pour SaaS application authorization.
(2) **Standalone Cedar libraries** — Rust, Java, TypeScript pour embed in apps.
(3) **Multi-tenant SaaS** — per-tenant policy isolation.
(4) **B2B applications** — share authorization decisions across organizations.
(5) **Microservices** — central authz service.

Vs OPA/Rego :
(1) **Cedar simpler syntax** — easier non-experts learn.
(2) **Cedar formal verification** — Rego complex semantics harder to analyze.
(3) **OPA more flexible** — Rego turing-complete-ish, can express more.
(4) **OPA broader ecosystem** — Kubernetes Gatekeeper, Conftest, mature.
(5) **Cedar AWS-backed** — strong tooling, formal verification research papers (PLDI 2023).

Integration patterns : authorize request → Cedar engine evaluates → permit/forbid. Audit logs every decision. Schema defines valid entity types/actions/resources upfront.

Adoption : early days (launched 2023), growing. OPA still dominant for K8s. Cedar gaining traction SaaS apps and AWS-centric. Compétences SC-300, AZ-500, SAA-C03.

Certifications qui couvrent ce concept
SC-300 AZ-500 SAA-C03
Termes liés
OPA (Open Policy Agent) ABAC (Attribute-Based Access Control) RBAC (Role-Based Access Control) IAM (Identity and Access Management)

Préparez vos certifications IT gratuitement

200+ certifications, 400 000+ questions, examens blancs chronométrés.

Voir le catalogue →
← Retour au glossaire