Amazon Verified Permissions
The Amazon Verified Permissions (AVP) connector enables you to deploy your Big ACL authorization rules directly to AWS for runtime enforcement.
This integration allows you to manage policies in Big ACL while leveraging Amazon’s highly available and scalable authorization service.
Overview
Section titled “Overview”Amazon Verified Permissions is a managed authorization service from AWS that uses the Cedar policy language.
Big ACL automatically translates your rules into Cedar policies and synchronizes them with your AVP Policy Store.
What Gets Synchronized
Section titled “What Gets Synchronized”| Big ACL Component | AVP Equivalent |
|---|---|
| Entity Types (Schema) | Cedar Schema |
| Authorization Rules | Cedar Policies |
| Groups | Entity hierarchies |
Getting Started
Section titled “Getting Started”Prerequisites
Section titled “Prerequisites”Before configuring the connector, ensure you have:
- An AWS account with Amazon Verified Permissions enabled
- A Policy Store created in AVP (you’ll need the Policy Store ID)
- IAM credentials with appropriate permissions to access AVP
Required AWS Permissions
Section titled “Required AWS Permissions”The IAM role or access key used by Big ACL must have the following permissions on your Policy Store:
| Permission | Purpose |
|---|---|
verifiedpermissions:GetPolicyStore | Read Policy Store configuration |
verifiedpermissions:GetSchema | Read the current schema |
verifiedpermissions:PutSchema | Update the schema with entity types |
verifiedpermissions:ListPolicies | List existing policies |
verifiedpermissions:CreatePolicy | Create new policies |
verifiedpermissions:UpdatePolicy | Update existing policies |
verifiedpermissions:DeletePolicy | Remove obsolete policies |
Configuration
Section titled “Configuration”Step 1: Access the Connector
Section titled “Step 1: Access the Connector”- Navigate to Settings > Connectors in the Big ACL console
- Select Amazon Verified Permissions
Step 2: Enter Policy Store Details
Section titled “Step 2: Enter Policy Store Details”| Field | Description |
|---|---|
| Policy Store ID | The unique identifier of your AVP Policy Store (format: ps-xxxxxxxx) |
| AWS Region | The region where your Policy Store is hosted |
Step 3: Configure Authentication
Section titled “Step 3: Configure Authentication”Choose one of two authentication methods:
Option A: Access Key
Section titled “Option A: Access Key”Use an IAM user’s access key for authentication. Recommended for development and testing.
| Field | Description |
|---|---|
| Access Key ID | Your IAM access key ID (format: AKIA...) |
| Secret Access Key | Your IAM secret access key |
Option B: IAM Role
Section titled “Option B: IAM Role”Assume an IAM role for authentication. Recommended for production environments.
| Field | Description |
|---|---|
| Role ARN | The full ARN of the IAM role to assume |
The IAM role option provides better security through temporary credentials and cross-account access capabilities.
Step 4: Test the Connection
Section titled “Step 4: Test the Connection”Click Test Connection to verify that Big ACL can successfully connect to your Policy Store. A successful test confirms:
- The credentials are valid
- The Policy Store exists and is accessible
- The required permissions are in place
Step 5: Save Configuration
Section titled “Step 5: Save Configuration”Click Save to store your configuration. The connector is now ready to synchronize.
Synchronization
Section titled “Synchronization”How Synchronization Works
Section titled “How Synchronization Works”When you synchronize:
- Schema Export: Big ACL exports your entity types as a Cedar schema
- Policy Translation: Each enforced rule is translated into Cedar policy syntax
- Deployment: Policies are created, updated, or deleted in AVP to match Big ACL
Only rules with Enforced status are synchronized. Draft and Archived rules are not deployed.
Automatic Synchronization
Section titled “Automatic Synchronization”Enable automatic synchronization to deploy changes as soon as rules are validated:
- Toggle Automatic synchronization to On
- Changes are synced immediately when a rule reaches Enforced status
This ensures your AVP Policy Store always reflects your current authorization policies.
Manual Synchronization
Section titled “Manual Synchronization”If automatic sync is disabled, you can trigger synchronization manually:
- Click the Sync Now button
- Monitor the sync status until completion
- Review any errors if the sync fails
Manual mode is useful when you want to batch changes or review policies before deployment.
Sync Status
Section titled “Sync Status”The connector displays the current synchronization status:
| Status | Description |
|---|---|
| Not synced | No synchronization has been performed yet |
| Syncing… | Synchronization is in progress |
| Success | Last synchronization completed successfully |
| Failed | Last synchronization encountered an error |
Monitoring
Section titled “Monitoring”Connection Status
Section titled “Connection Status”The connector continuously monitors the connection to AVP:
| Status | Description |
|---|---|
| Connected | Big ACL can reach the Policy Store |
| Disconnected | Connection is not established |
| Error | Connection failed (hover for details) |
Synchronization Metrics
Section titled “Synchronization Metrics”The dashboard displays key metrics:
| Metric | Description |
|---|---|
| Rules Synchronized | Number of policies deployed to AVP |
| Entity Types | Number of schema types in the Policy Store |
| Last Successful Sync | Timestamp of the last successful synchronization |
Cedar Policy Format
Section titled “Cedar Policy Format”Big ACL translates your natural language rules into Cedar policies. You can preview the Cedar syntax for any rule in the rule details view.
Example Translation
Section titled “Example Translation”Big ACL Rule:
“A developer can access a repository if they belong to the same team as the repository owner.”
Cedar Policy:
permit( principal is Developer, action in [Action::"access"], resource is Repository)when { principal.team == resource.owner.team};The Cedar preview allows you to verify the translation before deployment.
Troubleshooting
Section titled “Troubleshooting”Connection Issues
Section titled “Connection Issues”“Access Denied” error
- Verify your IAM credentials are correct
- Ensure the IAM user or role has the required permissions
- Check that the Policy Store ID matches your target store
“Policy Store not found” error
- Confirm the Policy Store ID is correct
- Verify you’re using the correct AWS region
“Credentials expired” error
- For access keys: generate new credentials in AWS IAM
- For IAM roles: ensure the trust policy allows Big ACL to assume the role
Synchronization Issues
Section titled “Synchronization Issues”“Schema validation failed”
- Review your entity types for circular references
- Ensure all referenced entity types exist
- Check for invalid attribute names
“Policy limit exceeded”
- AVP has limits on the number of policies per store
- Consider consolidating rules or using a separate Policy Store
- Contact AWS support to request a limit increase
“Conflicting policies”
- Review the failed policies in the sync error message
- Check for duplicate rule IDs or conflicting definitions
Best Practices
Section titled “Best Practices”Security
Section titled “Security”- Use IAM roles instead of access keys for production deployments
- Apply least privilege: only grant the permissions listed above
- Enable CloudTrail to audit AVP API calls
- Rotate credentials regularly if using access keys
Reliability
Section titled “Reliability”- Enable automatic sync to ensure policies are always current
- Monitor sync status and set up alerts for failures
- Test in a non-production Policy Store before deploying to production
Organization
Section titled “Organization”- Use separate Policy Stores for different environments (dev, staging, prod)
- Establish naming conventions for easy identification of Big ACL policies
- Document your sync schedule if using manual synchronization
Supported Regions
Section titled “Supported Regions”The connector supports all AWS regions where Amazon Verified Permissions is available: