Designing Fine-Grained API Authorization with AWS Verified Permissions

The Challenge of Fine-Grained Authorization

Building a robust, scalable, and auditable authorization system is a significant architectural challenge, especially for platforms handling sensitive data and diverse user roles like Convera's payment system. The core requirement is to ensure users (internal, external, and services) have access only to the precise resources and actions they are explicitly authorized for, adapting to evolving business needs and supporting multi-tenancy. Rather than building a complex in-house solution, Convera opted for Amazon Verified Permissions to offload policy management, real-time evaluation, logging, and auditing.

Architectural Foundation with Amazon Verified Permissions

Amazon Verified Permissions (AVP) serves as a central authorization engine, integrating with other AWS services to provide a comprehensive access control solution. Key reasons for its adoption include direct integration with Amazon Cognito and Amazon API Gateway, the flexibility of the Cedar policy language for complex rules, the ability to evaluate multiple attributes (roles, transaction amounts, locations), and its high-performance characteristics for authorization decisions.

Core Authorization Workflow

1. User authentication via Amazon Cognito (or enterprise IdP for internal users).
2. Pre-token generation Lambda enriches JWT with user roles from RDS/DynamoDB.
3. Client makes API call with enriched JWT to API Gateway.
4. API Gateway Lambda authorizer validates JWT and calls Verified Permissions.
5. Verified Permissions evaluates Cedar policies (e.g., `permit (principal, action, resource) when { principal.role == "PAYMENT_INITIATOR" && resource.accountType == "BUSINESS" };`).
6. AVP returns allow/deny decision to Lambda authorizer, which then generates an IAM policy for API Gateway.
7. API Gateway caches the IAM policy and enforces the decision, allowing or denying the request.

Extending Authorization to Multi-Tenancy and Service-to-Service

The flexibility of AVP and the Cedar policy language allowed Convera to reuse the same architectural pattern for multiple scenarios beyond simple user access. This includes managing complex multi-tenant access control with strict data isolation by dynamically evaluating tenant ownership and contextual attributes. The architecture was also extended to secure service-to-service communications, where client services are registered and use client credentials (instead of user credentials) with dedicated policy stores for their specific permissions.