Episode 064: 11‐12‐2024 Amazon's Cedar Open Source Strategy - GluuFederation/identerati-office-hours GitHub Wiki
Title: Amazon's Cedar Open Source Strategy
- Host: Mike Schwartz, Founder/CEO Gluu
- Guest: Ricardo Sueiras, Principal Developer Advocate] AWS
- Co-Host: Julian Lovelock , Technical Product Manager at AWS
Description
Amazon released Cedar as an open source project on May 10, 2023. Why? The open source strategy will shed light on what AWS is expecting to accomplish with Cedar. Are they expecting open source contributions? Does AWS believe open source will increase the rate of developer adoption? Why did AWS chose to open source both the policy syntax and the Engines (Rust, Java, Go). Why choose the Apache 2.0 license? What was the business case the Cedar team made to AWS management? What are some of the metrics that AWS will use to measure the success of Cedar adoption? What other open source projects does Cedar resemble at AWS? Join this episode for a deep dive into the Cedar open source strategy!
Homework
Extra Credit
- How Amazon Web Services uses formal methods
- The AWS Developers Podcast Twilio & Amazon Verified Permissions
Takeaways
⚡ The Cedar policy syntax and engines ARE NOT tightly bundled to Amazon's cloud! Companies can use Cedar anywhere they need to externalize policies where safety, expressability and performance are needed. AWS Verified Permissions is a cloud service for enterprises who want to build a globally distributed hosted authorization service. But other ecosystem members are using Cedar to build embedded and cloud products.
⚡ Amazon sees open source as part of a long term strategy to foster adoption of Cedar and to catalyze an ecosystem. Anyone can propose an "RFC" for an enhancement to the Cedar policy language, which is reviewed by a technical committee of core contributors, and then prioritized. As Cedar develops, Amazon will review whether its current governance structure makes sense.
⚡ Developers are looking for new ideas to improve application authorization. Even though "authz" has been a challenge since the inception of software, it's still not "solved". What's clear now is that building your own authz service is not a good idea, and that externalizing policies is a good idea.
⚡ Amazon uses formal methods to help solve difficult design problems in critical systems. Authz was a good fit for this approach because "safety" is a key requirement to build trust with developers. AWS scientists and mathemeticians provided evidence that Cedar was safe!