Episode 135 - GluuFederation/identerati-office-hours GitHub Wiki
Title: Cedar Analysis Toolkit
- Host: Mike Schwartz, Founder/CEO Gluu
- Guest: Spencer Erickson, AWS Senior Product Manager Technical
- Guest: Liana Hadarean, AWS Principal Applied Scientist
Channels
Description
Dive into Cedar Analysis, AWS’s new open-source toolkit designed to give developers rigorous insight into their Cedar authorization policies. Learn how the Cedar Symbolic Compiler translates your policies into SMT-friendly mathematical formulas with formal soundness and completeness guarantees, thanks to Lean-based proofs. Discover how the Cedar Analysis CLI can automatically compare policy sets, detect unintended permission changes, uncover conflicts, and spot redundancies.
Homework
-
Introducing Cedar Analysis: Open Source Tools for Verifying Authorization Policies
-
Emina Torlak presentation at AWS ReInvent The Science behind the Cedar Policy Engine Design - 23 min video
-
AWS re:Inforce 2025 - How MongoDB uses Cedar policy language for fine-grained authorization
-
Amazon Science Article (Background): A gentle introduction to automated reasoning
Takeaways
-
⚡ The Cedar analysis toolkit can help provide some guardrails around AI generated policies. Do the policies make sense? For example, is there an action that is never allowed?
-
⚡ Developers think of security tests, but unfortunately, not always enough of them. A more algorithmic approach to policy analysis will help develop more confidence in the security properties of the security of a system, which means less risk.
-
⚡ Automated analysis can save auditors a lot of time. The alternative to automated policy analysis might be diving into the code, looking at screenshots, and many other manual tasks that might lead to a less certain result.
-
⚡ There is still a lot of room for improvement. Most IT departments will need even better tools to really get the most out of this technology. And some of these tools may work in the background, for example helping coding agents identify problematic policies before they are even presented as results.