Cedar#
Cedar is an authorization policy language released by AWS in 2023 (open source under Apache 2.0). The design goal: simpler than Rego, fast, formally analyzable, and focused on application-level authorization questions (“can principal P do action A on resource R?”).
Used by AWS Verified Permissions, AWS Verified Access, Cedar agents embedded in services, and a growing number of community projects.
The Mental Model#
A Cedar request is a tuple.
(principal, action, resource, context)
Cedar policies decide Allow or Deny. Decisions are pure functions
of the request and the policy set. The engine’s strong analyzability
comes from the deliberately limited language.
A Minimal Policy#
permit (
principal in Group::"Admins",
action,
resource
);
permit (
principal,
action == Action::"ReadDocument",
resource is Document
) when {
resource.owner == principal
};
forbid (
principal,
action,
resource is Document
) when {
resource.tags.contains("classified")
} unless {
principal in Group::"ClearedStaff"
};
Effects#
Cedar policies can permit or forbid. The semantics
are deliberately blunt: any matching forbid wins,
otherwise at least one matching permit is required.
There is no “most-specific match” rule; the engine
evaluates every policy and combines results predictably.
Two effects.
permit, “this combination is allowed”.
forbid, “this combination is forbidden, regardless of permits”.
Cedar’s evaluation is straightforward: any forbid that applies wins.
Otherwise, if at least one permit applies, the request is allowed.
Scopes and Conditions#
Each Cedar policy has a head and an optional body. The head
binds principal, action, and resource; in and is
filter by entity hierarchy or type; when and unless
add boolean conditions over attributes. Together they shape
exactly which requests the policy applies to.
The “head” of a policy filters by entity.
permit (
principal in Group::"Admins",
action == Action::"DeleteDocument",
resource is Document
) when {
resource.created_at < datetime("2024-01-01T00:00:00Z")
};
principal/action/resource, entity scope.in <Entity>, membership test (groups, parents).is <Type>, type test.when { ... }, additional condition; must be true.unless { ... }, additional condition; must be false.
Entities#
Cedar models the world as typed entities with attributes and parents.
[
{
"uid": { "type": "User", "id": "operator" },
"attrs": { "department": "engineering" },
"parents":[{ "type": "Group", "id": "Admins" }]
},
{
"uid": { "type": "Document", "id": "doc-1" },
"attrs": { "owner": { "__entity": { "type": "User", "id": "operator" } },
"tags": ["public"] },
"parents":[]
}
]
Parents form a hierarchy used by in, as in principal in Group::"Admins".
Schemas#
Cedar policies validate against a schema describing entity types, actions, and attributes. The schema lets the engine catch bad policies at deploy time.
namespace Acme {
entity User { name: String, department: String };
entity Group;
entity Document { owner: User, tags: Set<String>, created_at: String };
action ReadDocument
appliesTo {
principal: [User],
resource: [Document]
};
}
Why “Formally Analyzable”#
Cedar policies can be statically reasoned about: equivalence checks, “is permission P implied by policies?”, “are these two policy sets equivalent?”. The deliberate restrictions on the language (no unbounded recursion, total functions, side-effect-free) enable analysis that Rego policies don’t get.
In practice this means.
You can prove that a refactor doesn’t widen access.
You can find dead policies.
You can compare two policy sets.
AWS ships these tools; community implementations are catching up.
Common Use Cases#
The kinds of work Cedar was designed for. Application-level authorization, API gateway pre-checks, multi-tenant SaaS isolation, and shared policy bundles across microservices – each one fits the “can principal do action on resource” question Cedar answers natively.
Application-level authz, “can user X do action Y on object Z?”.
API gateways, before hitting backend services.
Multi-tenant SaaS, per-tenant isolation, role definitions.
Microservices, shared policy bundle distributed to each service.
Tooling#
The CLI, language bindings, managed services, and IDE extensions that surround Cedar in 2026. The Rust core compiles to Wasm so JavaScript and TypeScript bindings cover the browser; AWS Verified Permissions runs Cedar as a managed service with a familiar API.
cedar-cli, evaluate, validate, analyze policies.
AWS Verified Permissions, managed Cedar service.
Bindings, Rust, JavaScript / TypeScript (via Wasm), Go, Python, Java; the Rust core compiles everywhere.
Visual Studio Code extension, syntax highlighting and validation.
Cedar vs. Rego#
The most common policy-language comparison an operator faces when picking a stack. Cedar is narrower and analyzable; Rego is broader and Turing-complete. The right pick depends on whether the workload is application authorization (Cedar) or cross-cutting policy across heterogeneous systems (Rego).
Aspect |
Cedar Rego (OPA) |
|---|---|
Domain |
Application authz General-purpose policy |
Power |
Limited (deliberate) Turing-complete |
Analyzability |
Strong (formal verification) Weak |
Schema |
First-class Optional |
Engine |
Embedded library or service Sidecar daemon (typical) |
Integrations |
AWS-first; growing Massive ecosystem |
Learning curve |
Smaller Steeper |
For straightforward “who can do what” decisions, Cedar is often easier and safer. For cross-cutting policy across heterogeneous systems (Kubernetes admission, Terraform plan, microservice authz, CI gating), Rego’s broader ecosystem usually wins.
Pitfalls#
The traps that catch teams new to Cedar. Missing schemas
hide type errors; absent attributes silently propagate as
errors; set-versus-list semantics surprise; the
forbid-wins resolution model differs from “most-specific”
intuition. Each is fixable once the rule is internalized.
Type errors at runtime, without a schema, expressions silently evaluate to nothing. Always validate against a schema.
Entity attribute lookup, attributes that might be missing produce error, which propagates. Use
hasto check first.Set vs. list, Cedar sets are unordered and de-duplicated;
containsworks on both but with different semantics.Resolution of overlapping policies,
forbidalways wins; newcomers expect “most specific” precedence.
When to Pick Cedar#
The kinds of project where Cedar is the right call. AWS- native services using Verified Permissions, greenfield application authz that values simplicity, multi-tenant SaaS where per-tenant policy edits must be safe, and any system that benefits from formal analysis of policy changes.
AWS-native applications using Verified Permissions.
Greenfield application authz where simplicity matters.
Multi-tenant SaaS with per-tenant policies that must be safe to edit.
Anywhere formal analysis of policy changes pays back.