Authorization and Amazon Verified Permissions: A New Way to Manage Permissions - Part V - Test Bench
Daniel Aniszkiewicz
Posted on July 11, 2023
In the previous article of this series, we've been exploring Amazon Verified Permissions (AVP) and Cedar, its underlying policy language. We've learned how to define fine-grained, attribute-based access control policies, and how to structure our authorization system using AVP schemas. We've also delved into more advanced topics such as including context in our schemas and defining groups of entities.
Now, it's time to put our policies to the test. In this article, we'll introduce the AVP Test Bench, a powerful tool for testing our policies. I'll explain what it is, how it works, and how to use it effectively to ensure our policies behave as expected.
What is the Test Bench?
The Test Bench is a feature of AVP that allows you to test your policies before deploying them. It provides a controlled environment where you can simulate principal requests and see whether they would be allowed or denied based on your policies. This can help prevent potential security issues and save you from headaches down the line.
How to Use the Test Bench
Using the Test Bench is straightforward. Here's a step-by-step guide:
Navigate to the Test Bench: From the AVP console, select your policy store and click on the "Test Bench" tab.
Set up your test: You'll need to specify a principal, an action, and a resource for the test. You can also include a context if your policies use one.
Run the test: Click on the "Run Test" button. AVP will evaluate your policies and show whether the request would be allowed or denied.
Testing Policies with Context
Let's take a look at how we can use the Test Bench to test policies with context. In our ecommerce scenario, we have a policy that allows customers to view products only when the context region is set to "US".
In order for you to test this yourself, you need to have defined policy store, schema, and policies. To do it, you can do it in two ways:
- Use avp-cli It's a CLI for making life easier with AVP. Moreover there are prepared scenarios, and we can reuse them for the purpose of this article.
Inside the GH is a manual. In a nutshell, download the repository, install dependencies, make sure you have AWS credentials added, then use in terminal:
node index.js
Welcome to AVP CLI!
This tool is designed to help you interact with the AWS Verified Permissions (AVP) service. You can use it to create, manage, and delete policy stores, schemas, and policies.
Please ensure that you have set up your AWS credentials correctly to use this tool.
? What would you like to do? Use prepared scenarios
? Choose a scenario Ecommerce with Context Scenario
Starting creating scenario: Ecommerce with Context usage Scenario
This will generate for you a policy store, schema ecommerce, and a policy from context).
- manually add to the AWS console (in the AVP service), inside the policy store add schema and policy) and then go to test bench.
- First, either use an existing one or create a new policy store.
- Add schema:
{
"EcommercePlatform":{
"entityTypes":{
"Customer":{
"shape":{
"type":"Record",
"attributes":{
}
}
},
"Product":{
"shape":{
"type":"Record",
"attributes":{
}
}
}
},
"actions":{
"View":{
"appliesTo":{
"principalTypes":[
"Customer"
],
"resourceTypes":[
"Product"
],
"context":{
"type":"Record",
"attributes":{
"region":{
"name":"region",
"type":"String",
"required":true
}
}
}
}
},
"Edit":{
"appliesTo":{
"principalTypes":[
"Customer"
],
"resourceTypes":[
"Product"
]
}
}
}
}
}
Then add policy:
permit(
principal,
action in [EcommercePlatform::Action::"View"],
resource
) when {
context.region == "US"
};
Now we can test it. Navigate to the AWS Console, open our policy store, and open "Test bench" in the left side panel.
To test this policy, we would set up a test with a principal of "Customer", an action of "View", and a resource of "Product". We would also include a context with a region of "US". Running this test should result in the request being allowed.
Next, we can change the context region to something other than "US" for instance "EU", and run the test again. This time, the request should be denied, demonstrating that our policy is working as expected.
Testing Policies with Groups
In AVP, you can also create policies that apply to groups of principals. For example, we might have a policy that allows customers who belong to the VIP group to preorder products.
Again, two approaches to setup it in AVP.
- With AVP CLI. This time select
Ecommerce with Group Usage Scenario
:
ā avp-cli git:(main) AWS_PROFILE=personal node index.js
Welcome to AVP CLI!
...
? What would you like to do? Use prepared scenarios
? Choose a scenario Ecommerce with Group Scenario
Starting creating scenario: Ecommerce with Group Usage Scenario
- manually add to the AWS console (in the AVP service), inside the policy store add schema and policy) and then go to test bench.
- First, create a new policy store.
- Add schema:
{
"EcommercePlatform": {
"entityTypes": {
"CustomerGroup": {
"shape": {
"type": "Record",
"attributes": {}
}
},
"Product": {
"shape": {
"type": "Record",
"attributes": {}
}
},
"Customer": {
"shape": {
"attributes": {},
"type": "Record"
},
"memberOfTypes": [
"CustomerGroup"
]
}
},
"actions": {
"Create": {
"appliesTo": {
"resourceTypes": [
"Product"
],
"principalTypes": [
"Customer"
]
}
},
"Preorder": {
"appliesTo": {
"resourceTypes": [
"Product"
],
"principalTypes": [
"Customer",
"CustomerGroup"
]
}
},
"Delete": {
"appliesTo": {
"principalTypes": [
"Customer"
],
"resourceTypes": [
"Product"
]
}
},
"View": {
"appliesTo": {
"principalTypes": [
"Customer"
],
"resourceTypes": [
"Product"
]
}
}
}
}
}
Then add policy:
permit (
principal in EcommercePlatform::CustomerGroup::"VIP",
action in [EcommercePlatform::Action::"Preorder"],
resource
);
Now we can test it. Navigate to the AWS Console, open our policy store, and open "Test bench" in the left side panel.
To test this policy, we would set up a test with a principal that is a member of the specified group ("VIP"), an action of "Preorder", and a resource of "Product". Running this test should result in the request being allowed.
The Importance of Deny Policies
One important thing to note about AVP is that deny policies take precedence over allow policies. This means that if you have a policy that allows a certain action and another policy that denies the same action, the action will be denied.
This can be useful for creating exceptions to general rules. For example, you might have a policy that allows all customers to view products, but a deny policy that prevents a specific customer from viewing products. Even though the allow policy would normally grant the customer access, the deny policy takes precedence and the customer's request is denied.
Next Steps
In this article, we've explored the AVP Test Bench and how it can be used to test our policies. We've seen how to set up tests for policies with context and groups, and we've learned about the precedence of deny policies.
As you continue to work with AVP, remember that testing your policies is a crucial step in ensuring that your authorization system behaves as expected. The Test Bench provides a powerful tool for doing this, and I encourage you to make full use of it.
If you want to experiment with AVP and Cedar, consider using the avp-cli tool. It provides a convenient way to create, manage, and delete policy stores, schemas, and policies, and it includes prepared scenarios that you can use as a starting point for your own policies.
In the next article of this series, we'll dive into policy templates in AVP. These templates allow you to define reusable policy patterns, making it easier to manage complex authorization systems. Stay tuned!
Remember, the best way to learn is by doing. Don't be afraid to experiment with different policies and scenarios, and see what you can build with AVP and Cedar!
Posted on July 11, 2023
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.