Skip to content

SYSTEM Cited by 2 sources

Cedar (policy language)

What it is

Cedar is AWS's open-source policy language for fine-grained authorization, designed from the start to be analyzable — the language constrains itself so that policies admit formal reasoning (reachability, overlap, equivalence, redundancy). Released 2023.

Cedar is the public extraction of a decade of internal AWS work on policy semantics — see systems/aws-policy-interpreter.

Language shape

Cedar policies are declarative rules of the form:

permit (principal, action, resource)
when   { <condition on attributes> };

forbid (principal, action, resource)
unless { <condition> };

Combined with a schema that declares entity types (principal types, resource types), actions, and the valid principal-action-resource combinations, plus attributes on each entity.

Example (from Convera)

// Role-gated UI action
permit (
    principal,
    action in [MyApp::Action::"ViewTransferButton"],
    resource
) when {
    principal.role == "PAYMENT_INITIATOR" &&
    resource.accountType == "BUSINESS" &&
    resource.status == "ACTIVE"
};

// Group-membership principal scope
permit (
    principal in
        convera_connect_authz::userGroup::"ConveraConnect-PAYEE_MGMT",
    action in [convera_connect_authz::Action::"PUT /customer/user/{id}"],
    resource
);

// Role-substring + path attribute-based condition
permit (
    principal,
    action in [convera_connect_authz::Action::"EDIT"],
    resource
)
when {
    principal.role.contains("UPDATE_USER_STATUS") &&
    resource.type == "PUT" &&
    resource.path == "/customers/user"
};

Shows Cedar's native idioms: action in [...] sets, `principal in

` hierarchy membership, attribute comparisons (`==`, `contains`), optional `when` / `unless` clauses. ## Why it's analyzable Cedar deliberately avoids Turing-complete features — no unbounded loops, no recursion, no arbitrary computation. This makes policy sets tractable to SMT-based analysis: tools can prove whether two policy sets are equivalent, whether a policy is reachable under any input, whether a change introduces new permissions, etc. This is the same [concepts/specification-driven-development](<../concepts/specification-driven-development.md>) premise as formal-methods spec languages — authorship surface chosen for what can be proved over it. ## Authorization model flexibility Cedar supports combining **RBAC** (`principal in `) + **ABAC** (`when { principal.department == resource.owner }`) + **ReBAC** (relationship via group hierarchies / resource parents) in one policy set. Cedar doesn't choose a model for you; the schema + policies encode whichever mix you want. See [concepts/attribute-based-access-control](<../concepts/attribute-based-access-control.md>). ## Productization Cedar is the policy language inside: - **[Amazon Verified Permissions](<./amazon-verified-permissions.md>)** — managed Cedar engine for application authorization. - (Historically) policy-analysis features of [IAM](<./aws-iam.md>) via Zelkova and IAM Access Analyzer — the internal policy-interpreter lineage Cedar emerged from. ## Caveats - Cedar is a language, not a runtime — you need a host engine (AVP, self-hosted Cedar-rs / Cedar-java, etc.) to evaluate policies. - Policy analyzers exist but their use is not uniformly wired into every Cedar deployment; analyzability is a *property* of the language, realized by specific tools. - The Convera source uses Cedar but does not invoke policy-analysis tooling explicitly; the primary use in that post is runtime evaluation via AVP. ## Seen in - [sources/2026-02-05-aws-convera-verified-permissions-fine-grained-authorization](<../sources/2026-02-05-aws-convera-verified-permissions-fine-grained-authorization.md>) — Cedar as the policy surface across Convera's four authorization flows; three illustrative policy snippets shown. ## Related - [systems/amazon-verified-permissions](<./amazon-verified-permissions.md>) — managed Cedar engine. - [systems/aws-policy-interpreter](<./aws-policy-interpreter.md>) — the decade-of-proof AWS lineage; Cedar is the public extraction. - [concepts/fine-grained-authorization](<../concepts/fine-grained-authorization.md>), [concepts/attribute-based-access-control](<../concepts/attribute-based-access-control.md>), [concepts/policy-as-data](<../concepts/policy-as-data.md>). - [concepts/specification-driven-development](<../concepts/specification-driven-development.md>), [concepts/automated-reasoning](<../concepts/automated-reasoning.md>) — methodological context.
Last updated · 200 distilled / 1,178 read