AWS Security ChangesHomeSearch

AWS verifiedpermissions medium security documentation change

Service: verifiedpermissions · 2025-06-22 · Security-related medium

File: verifiedpermissions/latest/userguide/context.md

Summary

Restructured context attributes, schema definitions, and policy examples, including reordering MFA checks and enforcing required fields in the schema.

Security assessment

The schema now enforces 'MfaAuthorized' as a required Boolean field, which directly relates to enforcing Multi-Factor Authentication (MFA) in authorization policies. This strengthens security by ensuring MFA checks are mandatory in policy evaluations.

Diff

diff --git a/verifiedpermissions/latest/userguide/context.md b/verifiedpermissions/latest/userguide/context.md
index cb5be4237..4e3a4249c 100644
--- a//verifiedpermissions/latest/userguide/context.md
+++ b//verifiedpermissions/latest/userguide/context.md
@@ -18,3 +17,0 @@ The following context object declares one of each Cedar data type for an applica
-          "MfaAuthorized": {
-             "boolean": true
-          },
@@ -34,2 +31,5 @@ The following context object declares one of each Cedar data type for an applica
-          "UserAgent": {
-             "string": "My UserAgent 1.12"
+        "approvedBy": {
+        "entityIdentifier": {
+          "entityId": "Bob",
+          "entityType": "DigitalPetStore::User"
+        }
@@ -37,2 +37,2 @@ The following context object declares one of each Cedar data type for an applica
-          "RequestedOrderCount": {
-             "long": 4
+        "MfaAuthorized": {
+          "boolean": true
@@ -53,5 +53,5 @@ The following context object declares one of each Cedar data type for an applica
-          "approvedBy": {
-             "entityIdentifier": {
-                "entityId": "Bob",
-                "entityType": "DigitalPetStore::User"
-             }
+        "RequestedOrderCount": {
+          "long": 4
+        },
+        "UserAgent": {
+          "string": "My UserAgent 1.12"
@@ -115 +115,2 @@ Apply the following updates to your policy store schema to support the new conte
-                "UserAgent": {
+            "AccountCodes": {
+              "type": "Set",
@@ -117 +118,3 @@ Apply the following updates to your policy store schema to support the new conte
-                   "type": "String"
+              "element": {
+                "type": "Long"
+              }
@@ -124,6 +127,7 @@ Apply the following updates to your policy store schema to support the new conte
-                "AccountCodes": {
-                   "type": "Set",
-                   "required": true,
-                   "element": {
-                      "type": "Long"
-                   }
+            "MfaAuthorized": {
+              "type": "Boolean",
+              "required": true
+            },
+            "NetworkInfo": {
+              "type": "NetworkInfo",
+              "required": true
@@ -135,3 +139,3 @@ Apply the following updates to your policy store schema to support the new conte
-                "MfaAuthorized": {
-                   "type": "Boolean",
-                   "required": true
+            "UserAgent": {
+              "required": true,
+              "type": "String"
@@ -147,5 +151 @@ Apply the following updates to your policy store schema to support the new conte
-To reference the `record` data type named `NetworkInfo` in your request context, create a [commonType](https://docs.cedarpolicy.com/schema/schema.html#schema-commonTypes) construct in your schema as follows. A `commonType` construct is a shared set of attributes that you can apply to different entities.
-
-###### Note
-
-The Verified Permissions visual schema editor currently doesn't support `commonType` constructs. When you add them to your schema, you can no longer view your schema in **Visual mode**.
+To reference the `record` data type named `NetworkInfo` in your request context, create a [commonType](https://docs.cedarpolicy.com/schema/schema.html#schema-commonTypes) construct in your schema by adding the following to your schema before `actions`. A `commonType` construct is a shared set of attributes that you can apply to different entities.
@@ -172 +172 @@ The Verified Permissions visual schema editor currently doesn't support `commonT
-    }
+    },
@@ -186,3 +185,0 @@ The following policy sets up conditions that must be fulfilled by each of the pr
-        context.MfaAuthorized == true &&
-        context.UserAgent like "*My UserAgent*" &&
-        context.RequestedOrderCount <= 4 &&
@@ -189,0 +187,2 @@ The following policy sets up conditions that must be fulfilled by each of the pr
+        context.approvedBy in DigitalPetStore::Role::"Employee" &&
+        context.MfaAuthorized == true &&
@@ -191 +189,0 @@ The following policy sets up conditions that must be fulfilled by each of the pr
-        context.NetworkInfo.SSL == true &&
@@ -193 +191,3 @@ The following policy sets up conditions that must be fulfilled by each of the pr
-        context.approvedBy in DigitalPetStore::Role::"Employee"
+        context.NetworkInfo.SSL == true &&
+        context.RequestedOrderCount <= 4 &&
+        context.UserAgent like "*My UserAgent*"
@@ -234,9 +233,0 @@ After you configure your policy store with the appropriate schema and policy, yo
-          "MfaAuthorized": {
-           "boolean": true
-          },
-          "UserAgent": {
-           "string": "My UserAgent 1.12"
-          },
-          "RequestedOrderCount":{
-           "long": 4
-          },
@@ -249,0 +241,9 @@ After you configure your policy store with the appropriate schema and policy, yo
+          "approvedBy": {
+            "entityIdentifier": {
+              "entityId": "Bob",
+              "entityType": "DigitalPetStore::User"
+            }
+          },
+          "MfaAuthorized": {
+            "boolean": true
+          },
@@ -252 +251,0 @@ After you configure your policy store with the appropriate schema and policy, yo
-              "IPAddress": {"string": "192.0.2.178"},
@@ -253,0 +253 @@ After you configure your policy store with the appropriate schema and policy, yo
+              "IPAddress": {"string": "192.0.2.178"},
@@ -257,5 +257,5 @@ After you configure your policy store with the appropriate schema and policy, yo
-          "approvedBy": {
-            "entityIdentifier": {
-             "entityId": "Bob",
-             "entityType": "DigitalPetStore::User"
-            }
+          "RequestedOrderCount":{
+            "long": 4
+          },
+          "UserAgent": {
+            "string": "My UserAgent 1.12"