Securing 50 million requests per month with AWS-based authorization (DEV318)

Summary

External Role-Based Access Control (RBAC) using Amazon Verified Permissions (AVP)

  • Challenge: Repeated authorization logic across multiple applications and only authorization at the resource server level.
  • Goal: Centralize authorization at the API Gateway level to avoid duplication.
  • Solution: Attached a Lambda authorizer to the API Gateway to make authorization requests to AVP. Created configuration-based templates to map API endpoints and roles to AVP policies.
  • Lessons Learned:
    • Implemented RBAC for developers without a steep learning curve of Rego.
    • Release tests were very useful to validate policies.
    • Editing policies is difficult as there's no support for blue-green deployments in AVP.

Internal Attribute-Based Access Control (ABAC)

  • Challenge: Authorize internal traffic based on attributes like entity type, vertical, business unit, etc.
  • Goal: Implement ABAC to control access to various resources (RFQ, Policy, External Policy) based on user attributes.
  • Solution: Created multiple policy stores for different resource types, and used the e operator in Rego to match the resource type during the authorization request.
  • Lessons Learned:
    • The e operator is not supported in AVP, leading to a more complex solution with multiple policy stores.
    • Differences between Rego versions in Rego and AVP caused compatibility issues.
    • Created a reusable authorization gem using a hexagonal architecture to simplify integration across multiple resource servers.
    • Utilized Cedar CLI for local testing and validation of authorization payloads against the schema.

Internal RBAC

  • Challenge: Enforce RBAC between internal applications to maintain a zero-trust policy.
  • Goal: Have a higher level of control over inter-application communication and avoid chaining of tokens.
  • Solution: Implemented RBAC at the resource server level using the token-house library, which handles both authentication and authorization.
  • Lessons Learned:
    • Caching is crucial to manage the cost and latency of AVP calls.
    • Optimized caching by cleaning up the path in the cache key to improve cache hit rate.
    • Significant cost reduction (93%) by optimizing caching, from $202k to less than $2k per year.

General Lessons Learned

  • Cedar CLI is a game-changer for local testing and confidence in the authorization implementation.
  • Hexagonal architecture helps with abstraction and reusability of the authorization logic.
  • Backstage templates streamlined the roll-out of the authorization solution across multiple projects.
  • Differences between Rego versions in Rego and AVP can cause compatibility issues, requiring careful validation.
  • AVP lacks some features like search, sorting, and tagging for policy stores, making management more challenging.

Your Digital Journey deserves a great story.

Build one with us.

Cookies Icon

These cookies are used to collect information about how you interact with this website and allow us to remember you. We use this information to improve and customize your browsing experience, as well as for analytics.

If you decline, your information won’t be tracked when you visit this website. A single cookie will be used in your browser to remember your preference.

Talk to us