Amazon Verified Permissions

1. Overview

Amazon Verified Permissions is a service from AWS that allows you to store and evaluate fine-grained authorization policies. By connecting Big ACL and Amazon Verified Permissions, you can leverage the authorization rules you have designed in Big ACL and apply them within AWS, ensuring consistent access decisions across your entire environment.

2. Prerequisites

Before you begin, make sure you have the following prerequisites in place:

1. An AWS account: You will need credentials with sufficient privileges to create and manage Amazon Verified Permissions resources (e.g., IAM user or role with appropriate permissions).

2. A Big ACL account: You should have an active Big ACL account where you have defined the authorization schema and rules you want to deploy.

3. AWS CLI or AWS SDK: You can use either the AWS Command Line Interface or an AWS SDK (such as Python, Node.js, Java, etc.) to perform setup tasks on Amazon Verified Permissions.

3. High-Level Architecture

1. Schema Management in Big ACL You first create and refine your authorization schema (entities, attributes, relationships) and rules in the Big ACL platform.

2. Deployment to Amazon Verified Permissions Using the Big ACL connector, you push your schema and rules to an Amazon Verified Permissions store, where they can be enforced at runtime by AWS services or your own applications.

3. Runtime Evaluation During normal operation, calls to check access will be evaluated against your Amazon Verified Permissions store, using the policies and schema you synced from Big ACL.

4. Setting Up Amazon Verified Permissions

1. Create a Permissions Store

   • Sign in to the AWS Management Console and open the Amazon Verified Permissions console.

   • Click on Create a permissions store.

   • Provide a name and an optional description, then click Create.

   • Make note of the Store ID that gets created, as you will need it in the next steps.

2. Configure Your IAM Permissions

   • Ensure the IAM user or role you use for this integration has permissions to write policies to Amazon Verified Permissions.

   • Typical permissions include actions such as verifiedpermissions:CreatePolicy, verifiedpermissions:UpdatePolicy, verifiedpermissions:DeletePolicy, etc.