AWS verifiedpermissions medium security documentation change
Summary
Restructured context attributes, schema definitions, and policy examples, including reordering MFA checks and enforcing required fields in the schema.
Security assessment
The schema now enforces 'MfaAuthorized' as a required Boolean field, which directly relates to enforcing Multi-Factor Authentication (MFA) in authorization policies. This strengthens security by ensuring MFA checks are mandatory in policy evaluations.
Diff
diff --git a/verifiedpermissions/latest/userguide/context.md b/verifiedpermissions/latest/userguide/context.md index cb5be4237..4e3a4249c 100644 --- a//verifiedpermissions/latest/userguide/context.md +++ b//verifiedpermissions/latest/userguide/context.md @@ -18,3 +17,0 @@ The following context object declares one of each Cedar data type for an applica - "MfaAuthorized": { - "boolean": true - }, @@ -34,2 +31,5 @@ The following context object declares one of each Cedar data type for an applica - "UserAgent": { - "string": "My UserAgent 1.12" + "approvedBy": { + "entityIdentifier": { + "entityId": "Bob", + "entityType": "DigitalPetStore::User" + } @@ -37,2 +37,2 @@ The following context object declares one of each Cedar data type for an applica - "RequestedOrderCount": { - "long": 4 + "MfaAuthorized": { + "boolean": true @@ -53,5 +53,5 @@ The following context object declares one of each Cedar data type for an applica - "approvedBy": { - "entityIdentifier": { - "entityId": "Bob", - "entityType": "DigitalPetStore::User" - } + "RequestedOrderCount": { + "long": 4 + }, + "UserAgent": { + "string": "My UserAgent 1.12" @@ -115 +115,2 @@ Apply the following updates to your policy store schema to support the new conte - "UserAgent": { + "AccountCodes": { + "type": "Set", @@ -117 +118,3 @@ Apply the following updates to your policy store schema to support the new conte - "type": "String" + "element": { + "type": "Long" + } @@ -124,6 +127,7 @@ Apply the following updates to your policy store schema to support the new conte - "AccountCodes": { - "type": "Set", - "required": true, - "element": { - "type": "Long" - } + "MfaAuthorized": { + "type": "Boolean", + "required": true + }, + "NetworkInfo": { + "type": "NetworkInfo", + "required": true @@ -135,3 +139,3 @@ Apply the following updates to your policy store schema to support the new conte - "MfaAuthorized": { - "type": "Boolean", - "required": true + "UserAgent": { + "required": true, + "type": "String" @@ -147,5 +151 @@ Apply the following updates to your policy store schema to support the new conte -To reference the `record` data type named `NetworkInfo` in your request context, create a [commonType](https://docs.cedarpolicy.com/schema/schema.html#schema-commonTypes) construct in your schema as follows. A `commonType` construct is a shared set of attributes that you can apply to different entities. - -###### Note - -The Verified Permissions visual schema editor currently doesn't support `commonType` constructs. When you add them to your schema, you can no longer view your schema in **Visual mode**. +To reference the `record` data type named `NetworkInfo` in your request context, create a [commonType](https://docs.cedarpolicy.com/schema/schema.html#schema-commonTypes) construct in your schema by adding the following to your schema before `actions`. A `commonType` construct is a shared set of attributes that you can apply to different entities. @@ -172 +172 @@ The Verified Permissions visual schema editor currently doesn't support `commonT - } + }, @@ -186,3 +185,0 @@ The following policy sets up conditions that must be fulfilled by each of the pr - context.MfaAuthorized == true && - context.UserAgent like "*My UserAgent*" && - context.RequestedOrderCount <= 4 && @@ -189,0 +187,2 @@ The following policy sets up conditions that must be fulfilled by each of the pr + context.approvedBy in DigitalPetStore::Role::"Employee" && + context.MfaAuthorized == true && @@ -191 +189,0 @@ The following policy sets up conditions that must be fulfilled by each of the pr - context.NetworkInfo.SSL == true && @@ -193 +191,3 @@ The following policy sets up conditions that must be fulfilled by each of the pr - context.approvedBy in DigitalPetStore::Role::"Employee" + context.NetworkInfo.SSL == true && + context.RequestedOrderCount <= 4 && + context.UserAgent like "*My UserAgent*" @@ -234,9 +233,0 @@ After you configure your policy store with the appropriate schema and policy, yo - "MfaAuthorized": { - "boolean": true - }, - "UserAgent": { - "string": "My UserAgent 1.12" - }, - "RequestedOrderCount":{ - "long": 4 - }, @@ -249,0 +241,9 @@ After you configure your policy store with the appropriate schema and policy, yo + "approvedBy": { + "entityIdentifier": { + "entityId": "Bob", + "entityType": "DigitalPetStore::User" + } + }, + "MfaAuthorized": { + "boolean": true + }, @@ -252 +251,0 @@ After you configure your policy store with the appropriate schema and policy, yo - "IPAddress": {"string": "192.0.2.178"}, @@ -253,0 +253 @@ After you configure your policy store with the appropriate schema and policy, yo + "IPAddress": {"string": "192.0.2.178"}, @@ -257,5 +257,5 @@ After you configure your policy store with the appropriate schema and policy, yo - "approvedBy": { - "entityIdentifier": { - "entityId": "Bob", - "entityType": "DigitalPetStore::User" - } + "RequestedOrderCount":{ + "long": 4 + }, + "UserAgent": { + "string": "My UserAgent 1.12"