This pattern deploys a Lambda function that authorizes requests using Amazon Verified Permissions with Cedar policies for fine-grained access control.
Learn more about this pattern at Serverless Land Patterns: https://serverlessland.com/patterns/lambda-verified-permissions-cdk
Important: this application uses various AWS services and there are costs associated with these services after the Free Tier usage - please see the AWS Pricing page for details.
- AWS CLI installed and configured
- Node.js 22+ installed
- AWS CDK v2 installed
┌──────────┐ ┌──────────────────┐ ┌─────────────────────────┐
│ Client │────▶│ AWS Lambda │────▶│ Amazon Verified │
│ │ │ (Authorizer) │ │ Permissions │
└──────────┘ └──────────────────┘ │ (Cedar Policy Store) │
└─────────────────────────┘
- Lambda receives an authorization request with user identity, action, and resource.
- Lambda calls the Verified Permissions
IsAuthorizedAPI with the request context. - Cedar policies evaluate the request and return ALLOW or DENY.
- The pattern includes two policies: admins can perform any action, readers can only read.
npm install
cdk deploypython3 -c "
import boto3, json
client = boto3.client('lambda')
# Admin can delete (ALLOW)
r = client.invoke(FunctionName='<FunctionName>', Payload=json.dumps({'body': json.dumps({'userId':'alice','role':'admin','action':'Delete','resourceId':'doc-1','classification':'confidential'})}))
print('Admin Delete:', json.loads(json.loads(r['Payload'].read())['body'])['decision'])
# Reader cannot delete (DENY)
r = client.invoke(FunctionName='<FunctionName>', Payload=json.dumps({'body': json.dumps({'userId':'bob','role':'reader','action':'Delete','resourceId':'doc-2','classification':'public'})}))
print('Reader Delete:', json.loads(json.loads(r['Payload'].read())['body'])['decision'])
"cdk destroy