Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Wer darf was? - Policy-as-Code mit der Cedar Op...

Dennis Kieselhorst
April 01, 2025
Technology
0
6

Wer darf was? - Policy-as-Code mit der Cedar Open Source Policy Language

Cedar ist eine Open Source Sprache für Richtlinien (Policies) und bietet auch eine zugehörige Evaluierungsengine. Cedar-Richtlinien können verwendet werden, um zu kontrollieren, was Benutzer in einer Anwendung tun und auf welche Ressourcen sie zugreifen dürfen. Entwicklern wird dadurch ermöglicht, detaillierte Berechtigungen leicht verständlich auszudrücken und die Zugriffskontrolle von der Anwendungslogik zu entkoppeln.

In diesem Vortrag wird die Sprache und der Policy-as-Code Ansatz an Beispielen demonstriert. Cedar wird primär in Rust entwickelt, stellt aber auch eine Java-Bibliothek zur Verfügung, die ich für die Code-Beispiele nutzen werde.

Dennis Kieselhorst

April 01, 2025
Tweet

More Decks by Dennis Kieselhorst

See All by Dennis Kieselhorst
Serverless Java with Spring (JFokus 2025)
deki
0
21
Java 8 auf >=17 Upgrade - Lessons Learned und Best Practices
deki
0
73
Modernize APIs to run serverless using Apache CXF
deki
0
70
Serverless Java with Spring
deki
1
280
Effectively Using Java on Serverless and Containers
deki
1
66
Elevating workflows with AWS Step Functions and generative AI
deki
0
78
From self-managed to fully-managed: Migrate your Spring Cloud microservices to AWS
deki
1
39
From Serverful to Serverless Java (JFokus 2024)
deki
1
120
Performance-Tweaks für Java-Serverless-Anwendungen (IT-Tage)
deki
0
59

Other Decks in Technology

See All in Technology
ソフトウェア開発におけるインターフェイスという考え方 / PHPerKaigi 2025
k1low
9
3.9k
ルートユーザーの活用と管理を徹底的に深掘る
yuobayashi
6
720
OPENLOGI Company Profile
hr01
0
61k
【5分でわかる】セーフィー エンジニア向け会社紹介
safie_recruit
0
20k
移行できそうでやりきれなかった 10年超えのシステムを葬るための戦略 / phper-kaigi-2025-ryu
carta_engineering
0
690
頻繁リリース × 高品質 = 無理ゲー? いや、できます!/20250306 Shoki Hyo
shift_evolve
0
150
ペアプログラミングにQAが加わった!職能を超えたモブプログラミングの事例と学び
tonionagauzzi
1
140
パスキー導入の課題と ベストプラクティス、今後の展望
ritou
7
1.2k
DevOps文化を育むQA 〜カルチャーバブルを生み出す戦略〜 / 20250317 Atsushi Funahashi
shift_evolve
1
110
技術的負債を正しく理解し、正しく付き合う #phperkaigi / PHPerKaigi 2025
shogogg
7
1.8k
モジュラーモノリスでスケーラブルなシステムを作る - BASE のリアーキテクチャのいま
panda_program
7
2k
ソフトウェアプロジェクトの成功率が上がらない原因-「社会価値を考える」ということ-
ytanaka5569
0
130

Featured

See All Featured
Typedesign – Prime Four
hannesfritz
41
2.6k
The Pragmatic Product Professional
lauravandoore
33
6.5k
Fontdeck: Realign not Redesign
paulrobertlloyd
83
5.4k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
30
1.1k
Side Projects
sachag
452
42k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
44
7.1k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
22
2.6k
Building Your Own Lightsaber
phodgson
104
6.3k
Keith and Marios Guide to Fast Websites
keithpitt
411
22k
The Language of Interfaces
destraynor
157
24k
The Invisible Side of Design
smashingmag
299
50k
Stop Working from a Prison Cell
hatefulcrawdad
268
20k

Transcript

  1. © 2025, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Amazon Confidential and Trademark. 1 © 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark. Dennis Kieselhorst Principal Solutions Architect Wer darf was? Policy-as-Code mit der Cedar Open Source Policy Language 1

  2. © 2025, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Amazon Confidential and Trademark. 2 Agenda What is application authorization? Why is it difficult? How AWS approached the problem Introducing the Cedar policy language Demo Example: Authz within a containerized workload Getting started with your applications 2

  3. © 2025, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Amazon Confidential and Trademark. 3 What is application authorization? The set of rules that describe what a user of an application is permitted to do, and the enforcement of those rules 3 4 of the Top 25 Most Dangerous Software Weaknesses identified by CWE related to the management and application of authorization rules … and why is it so important ?

  4. © 2025, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Amazon Confidential and Trademark. 4 Today we’ll be talking about 4

  5. © 2025, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Amazon Confidential and Trademark. 5 CISO challenge Each application manages permissions, and makes its own authorization decision Fragmentation of authorization across the application landscape 5 Customers Employees Users Enterprise resources Cost Risk Friction 100s (maybe 1000s) of applications

  6. © 2025, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Amazon Confidential and Trademark. 6 A new approach to application authorization Following in the footsteps of authentication Applications Authn Identity Provider User credentials Authn Authn Authn Authn Authn OIDC/SAML

  7. © 2025, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Amazon Confidential and Trademark. 7 AWS Identity and Access Management (IAM) How AWS centralized authorization across 200+ services AWS Services Authz IAM IAM policies Authz Authz Authz Authz Is access authorized? Authz Authz Authz Authz Authz

  8. © 2025, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Amazon Confidential and Trademark. 8 How AWS centralized authorization across 200+ services Policy based authorization Scales to billions authz per sec Expressive policy language Provides policy analysis Proven 100% correctness

  9. © 2025, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Amazon Confidential and Trademark. 9 Introducing the Cedar policy language Authorization policies for the applications you build 9 Learn more at https://www.cedarpolicy.com

  10. © 2025, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Amazon Confidential and Trademark. 10 Why invent a new authorization language? Customers want a language that is Policy syntax is easy to understand Ergonomic

  11. © 2025, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Amazon Confidential and Trademark. 11 Why invent a new authorization language? Customers want a language that is Support for RBAC, ABAC and ReBAC Ergonomic Expressive

  12. © 2025, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Amazon Confidential and Trademark. 12 Why invent a new authorization language? Customers want a language that is Verification guided development: automated reasoning & differential testing Ergonomic Safe Expressive

  13. © 2025, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Amazon Confidential and Trademark. 13 Why invent a new authorization language? Customers want a language that is Ergonomic Performant Cedar: A New Language for Expressive, Fast, Safe, and Analyzable Authorization Proc. ACM Program. Lang., Vol. 1, No. OOPSLA, Article 1. Publication date: April 2024. “We have implemented Cedar in Rust, and released it open- source. Comparing Cedar to two open-source languages, we find (subjectively) that Cedar (objectively) performs far better.” Safe Expressive Cedar Performance: 28-35x Faster than OpenFGA 42-60x Faster than Rego

  14. © 2025, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Amazon Confidential and Trademark. 14 Why invent a new authorization language? Customers want a language that is Ergonomic Analyzable “Line in the sand” – analysis should be fast and never lie: No missed issues, and no false alarms In a store with 1000s of policies - Which policies overlap - Which policies can never be applicable - Which policies permit access to these resources - … Performant Safe Expressive

  15. © 2025, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Amazon Confidential and Trademark. 15 Performance Expressiveness Analyzability Safety Ergonomics • Rego has greater expressiveness at the cost of ergonomics, performance, and analyzability • Other languages, like XACML, make a similar tradeoff Why invent a new authorization language? Why not just use an existing language?

  16. © 2025, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Amazon Confidential and Trademark. 16 © 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark. Demo https://www.cedarpolicy.com/en/playground https://github.com/cedar-policy/cedar-examples/

  17. © 2025, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Amazon Confidential and Trademark. 17 A hosted service for Cedar policy management and evaluation 17 Applications Authz Amazon Verified Permissions Cedar Policy store Authz Authz Authz Authz Authz IsAuthorized Policy management through Infrastructure as Code and/or the AWS Console Policy mgt

  18. © 2025, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Amazon Confidential and Trademark. 18 Authorization landscape Cedar and Amazon verified permissions recognized as leader by KPC 18 Download a copy: KuppingerCole - Policy Based Access Management Report (awscloud.com) AWS is a product leader with their Verified Permissions service and Cedar solution “... policies can be understood by application owners or auditors and can also be analyzed by machine processes. “

  19. © 2025, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Amazon Confidential and Trademark. 19 Example: Manage authorization within a containerized workload https://aws.amazon.com/blogs/security/manage-authorization-within-a-containerized-workload-using-amazon-verified-permissions/

  20. © 2025, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Amazon Confidential and Trademark. 21 Benefits Cedar for fine grained authorization 21 Reduce risk by centralizing authorization, evaluated through a transparent, well governed body of policies Manage costs by simplifying audits, and consolidating code for permissions management and authorization Increase agility by accelerating application development and reducing security friction

  21. © 2025, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Amazon Confidential and Trademark. 22 Getting Started with Cedar Inventory your application domain 22 New applications, in design phase 1 Review authorization model Are permissions clearly expressed? Can permissions be modified independently of application code? Are permissions auditable? Consider policy-based permissions

  22. © 2025, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Amazon Confidential and Trademark. 23 1 New applications, in design phase Getting Started with Cedar Inventory your application domain 23 Applications moving to cloud 2 Applications being extended / refactored New applications, in development phase Cloud native authentication and authorization Enhance permissions model and improve auditability Accelerate progress through application security reviews

  23. © 2025, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Amazon Confidential and Trademark. 24 Getting Started with Cedar Inventory your application domain 24 New applications, in design phase 1 Applications moving to cloud 2 Applications being extended / refactored New applications, in development phase Deployed applications 3 Are there known limitations relating to permissions management e.g. - Lack of support of custom roles - Access auditability

  24. © 2025, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Amazon Confidential and Trademark. 25 Thank you! © 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark. Dennis Kieselhorst @dekies.de Get in touch with the Cedar Community via Slack: https://communityinviter.com/apps/cedar-policy/cedar-policy-language