• Best Practices
  • IAM
  • cedar

Permit.io Cedar Implementation Q&A: Everything you need to know

AWS' new Cedar policy language is now open-source and live! See how you can make the best use of it with Permit.io

Daniel Bass

May 22 2023
Permit.io Cedar Implementation Q&A: Everything you need to know


We have been receiving lots of great responses and inquiries since the launch of our support for AWS Cedar. It's fantastic to see the excitement and curiosity surrounding this new integration. To address some of those questions, we've gathered a selection of the most frequently asked ones and are thrilled to provide detailed answers right here in this blog post. 

Let's dive in and explore the ins and outs of the Permit.io and AWS Cedar integration!

Q: What is AWS Cedar, and why is it significant?

A: AWS Cedar is an open-source project that introduces a Policy As Code (PAC) language and engine specifically designed for application-level authorization. It offers a tectonic shift in the IAM (Identity and Access Management) space by tackling the problem of managing in-app permissions, which has grown too big to ignore. With Cedar, organizations can author fine-grained access control policies, and apply them to enforcement (such as with the Permit SDK), thus ensuring that only authorized users and systems have access to the right resources.

Q: Why is having PAC important? What are the benefits of that? How does it improve the management of permissions?

A: Traditionally, organizations have relied on access control lists (ACLs) and role-based access control (RBAC) to manage permissions. However, as the number of resources and users grows, it becomes difficult to manage and scale these policies. Policy as code, a software development approach, allows developers to write policies as code that can be versioned, tested, and deployed like any other code. This approach brings scalability, flexibility, and auditability to the management of permissions. Learn more about the advantages of PAC here

Q: How does the integration between Permit.io and AWS Cedar work?

A: The integration between Permit.io and AWS Cedar comprises three new exciting features:

  • Permit is among the first to provide access to Cedar via its SaaS. This allows organizations to leverage the power of Cedar's policy engine within the Permit.io no-code permission management platform. It provides a seamless experience for managing and enforcing fine-grained access control using Cedar policies while benefiting from Permit.io's features (More on that below) and control plane.

  • Our new open-source project, Cedar-Agent, provides Cedar as a standalone agent you can deploy alongside your services.

  • Our open-source project OPAL now offers Cedar support (in addition to Open Policy Agent), expanding its ability to support more and more use cases, enabling Cedar Agents to be loaded with the policy and data they need in real-time.

Q: How does Permit.io simplify the adoption of AWS Cedar?

A: Permit.io simplifies the adoption of AWS Cedar by providing a low-code/no-code policy editor that generates Cedar code. This allows developers, and even non-technical stakeholders, to quickly get started with Cedar without needing to learn the intricacies of the language. It streamlines the initial adoption process and accelerates the implementation of Cedar-based access control. 

Q: What features does Permit.io provide on top of Cedar?

A: Permit.IO's integration of Cedar's policy engine offers several features that enhance its functionality. It can run on top of Amazon Verified Permissions (AVP) or Cedar-Agent, providing a control plane and interfaces for easier policy management. Notable features include:

  • A policy editor that generates code and pushes it to Git

  • SDKs for creating enforcement points in code and across the stack 

  • An API for managing objects like roles, resources, actions, tenants, projects, and environments, authorization for authorization to control permissions changes. 

  • Embeddable UI components via Permit Elements

  • Multi-tenancy support

  • Audit logs

  • Live data and policy updates via OPAL

  • And much more.

Q: Is the SaaS implementation of Cedar by Permit available to everyone?

A: Cedar with Permit.io is available for early access via sign-up here  

Q: What is Cedar-Agent?

A: Cedar-Agent is an open-source project developed by Permit.io that enables the deployment and execution of AWS Cedar as a standalone agent. Similar to how you would use OPA (Open Policy Agent), Cedar-Agent allows you to run Cedar independently and leverage its powerful authorization capabilities. With Cedar-Agent, you have the flexibility to manage and enforce policies using the Cedar language in various environments.

Q: What is OPAL? How does it help enhance Cedar?

A: OPAL (Open Policy Administration Layer) is an open-source project created by Permit.io. OPAL plays a crucial role in enhancing your policy engine of choice (be it Cedar or OPA) by providing it with real-time policy and data updates, ensuring your agents are equipped with the necessary policies and data for consistent and reliable enforcement. By expanding the OPAL ecosystem, the project fosters collaboration, establishes standards, and promotes best practices in policy management.

Q: What is the difference between Cedar and OPA? 

A: Cedar and OPA (Open Policy Agent) are both powerful policy-as-code languages and engines, but they have distinct characteristics and areas of focus. Cedar, developed by AWS, is specifically designed for application-level authorization. On the other hand, OPA, a CNCF project, is widely used for infrastructure-level access control and admission control in Kubernetes. To delve deeper into the differences between Cedar and OPA, check out this blog.

Q: Can the Cedar agent be self-hosted on Kubernetes and later moved to the cloud version?

A: Yes, the Cedar agent can be self-hosted on Kubernetes. Running the agent locally (known as the PDP or Policy Decision Point) is the default option for production when using OPA or Cedar agent. It provides flexibility and control during development and testing. However, the agent can also be hosted in the cloud. While hosting the agent in the cloud is possible, it is recommended to work with it locally and manage it in the cloud for better control and performance.

Q: How does Permit.IO's implementation of Cedar compare to Amazon Verified Permissions Service?

A: Permit.io (with Cedar) runs on top of Amazon Verified Permissions (AVP) or Cedar-Agent. It adds a control plane and interfaces on top, such as the policy editor that generates Cedar (or Rego) code for easier policy management.

The integration between Permit.io and AWS Cedar brings together the power of fine-grained authorization and a comprehensive control plane, enabling developers and organizations to manage permissions and access control in the cloud-native world effectively. By leveraging policy as code and the capabilities of Cedar-Agent and OPAL, teams can easily decouple policy from code, achieve greater flexibility, and enhance auditability. 

Got more questions? 

Join our community to explore more about Permit.io's integration with Cedar, ask questions, and get support for your authorization needs! 

Daniel Bass

Developer Community Manager at Permit.io

decorative background