Wiki · Concept · Last reviewed June 25, 2026

Cedar Authorization Policy Language

Cedar is an authorization policy language and evaluation engine for expressing fine-grained permissions outside application code, with growing relevance for AI agents, tool access, and delegated action.

Definition

Cedar is a policy language for writing authorization rules and making authorization decisions from those rules. The official reference guide frames Cedar as a way to decide whether a principal may perform an action on a resource in a given context. Its GitHub repository describes the project as a Rust implementation with an authorization engine and a validator for checking policies against an application schema.

The important governance move is separation. Instead of embedding every permission rule in application code, Cedar lets teams write policies as separate documents that can be reviewed, tested, updated, analyzed, and audited. Amazon Verified Permissions is a managed service that uses Cedar policies, but Cedar itself is also open source.

For AI agents, Cedar is relevant because agent authority needs more than a prompt saying "only do safe things." A tool call, connector action, or delegated workflow should be checked against explicit policy.

Snapshot

Current Context

As of June 25, 2026, the Cedar reference guide identifies Version 4.5 as the current language reference. The Cedar GitHub organization describes Cedar as an open source policy language and evaluation engine for fine-grained permissions, while the main repository contains the Rust crates that implement the language.

Cedar is also tracked as a cloud-native open source project. CNCF's project page lists Cedar as accepted to the Cloud Native Computing Foundation on October 8, 2025 at the Sandbox maturity level. That status matters for source discipline: CNCF Sandbox status is a governance and ecosystem fact, not proof that every Cedar deployment is secure.

AWS continues to use Cedar in managed services. Amazon Verified Permissions uses the Cedar policy language engine for authorization decisions, but AWS documentation also warns that Verified Permissions and native Cedar can differ; as of May 2026, Verified Permissions had aligned with Cedar on multiple namespaces. Amazon Bedrock AgentCore Policy became generally available on March 3, 2026 and uses Cedar policies to control AgentCore Gateway tool access and input validation outside agent code.

For AI governance, AgentCore Policy is a current managed-product example: an agent may propose a tool call, but a gateway-side policy engine can intercept the request and evaluate it before the tool runs. The principle generalizes beyond AWS, but the implementation details do not. A self-hosted Cedar evaluator, Verified Permissions policy store, AgentCore policy engine, and another vendor's authorization layer have different logs, management APIs, failure modes, and trust boundaries.

How It Works

A Cedar authorization request is organized around four practical objects: principal, action, resource, and context. The principal is the authenticated actor or machine principal. The action is the operation being requested. The resource is the object being acted on. Context carries transient facts such as session details, network information, assurance state, workflow purpose, or other request-specific data.

Cedar policies use effects such as permit and forbid, a scope over principal, action, and resource, and optional when or unless conditions that inspect attributes. Cedar represents principals, actions, and resources as entities. Entities can have attributes and parent relationships, letting a system model groups, hierarchies, resource containers, and role-like patterns.

Schemas are a major safety feature. A schema defines the entity types, attributes, actions, and context shapes that an application expects. Cedar does not use the schema to evaluate a request; it uses the schema to validate policies before they are accepted. That validation can catch mismatched names, wrong attribute types, and policies that do not match the application's authorization model.

The application still supplies the facts. Cedar can evaluate only the policies, entities, and context it receives. If the application omits a user's group membership, passes stale resource attributes, hides the fact that a model is acting through a delegated workflow, or normalizes identifiers inconsistently, the Cedar decision can be formally evaluated and still be wrong for the real-world situation.

Decision Semantics

Cedar's authorization algorithm is intentionally conservative. If no permit policy satisfies the request, the decision is Deny. If a forbid policy satisfies the request, the decision is Deny even if another policy would permit the same request. This makes forbid policies useful as guardrails that broad permit policies cannot cross.

The less obvious rule is skip-on-error. If evaluating a policy produces an error, that policy is ignored for the purpose of the authorization decision and the error is reported in diagnostics. The official documentation frames this as avoiding a single broken policy taking down an otherwise working application. Governance teams should decide whether certain diagnostics must fail closed in their own control plane, especially for high-impact or agentic actions.

Cedar's safety story is therefore split. The language and implementation aim to evaluate Cedar semantics correctly; the application owner remains responsible for the authorization model, schema, policy review, context integrity, identifier stability, and response to diagnostics. The official security guidance says Cedar does not perform authentication, and that applications must authenticate users separately before authorizing their actions.

Agent Context

Agent systems often cross a dangerous boundary: a model interprets language, then software turns that interpretation into an external action. Cedar can sit at the policy decision point for that action. The agent may propose a tool call, but the application still asks an authorization engine whether this principal, acting through this agent, may perform this action on this resource under this context.

That pattern matters for Tool Use and Function Calling. A customer-support agent might summarize an account but not issue a refund. A coding agent might edit a branch but not merge to production. The policy should live in a reviewable rule layer, not only in natural-language instructions.

AgentCore Policy illustrates the same pattern in a managed product. AWS documentation describes Cedar policies for AgentCore Gateway tools, including conditions over OAuth-user tags and tool input parameters. That is useful because the amount, destination, account, branch, ticket, repository, or message body can become policy context rather than only model-readable text.

Cedar does not make an agent safe by itself. It does not judge whether the model understood the task, whether retrieved text was poisoned, whether a tool description was malicious, or whether a human approval was meaningful. It can enforce application-defined permissions once the request is represented in the policy model. That makes it a control point, not a complete agent-safety system.

Governance and Safety

The governance value of Cedar is policy legibility. It can help turn vague agent permissions into explicit rules that security, legal, product, and operations teams can inspect. The Cedar paper by Joseph W. Cutler and coauthors describes the language as expressive, fast, safe, and analyzable. Those are engineering properties, not deployment guarantees.

A governed agent stack should record the policy set, schema version, principal, agent identity, action, resource, context, decision, diagnostics, determining policies, approval event, and downstream side effect. If a policy is changed after an incident, the record should preserve the policy version that actually decided the action.

Natural-language policy authoring raises a separate review problem. AWS says AgentCore Policy can convert natural-language requirements into Cedar. That can help teams draft controls, but generated policy should be treated like generated code: review it against the schema, test allow and deny cases, inspect for broad scopes, and preserve the generated source and approving human.

The failure mode is policy theater. A beautiful policy language can still encode the wrong rule, omit the risky action, receive incomplete context, or sit behind an interface that lets the agent act before the check occurs. Cedar should be paired with AI Agent Observability, AI Audit Trails, AI Agent Sandboxing, OAuth Security Best Current Practice, and incident review.

Minimum Evidence Record

A Cedar-backed authorization claim is useful only if reviewers can reconstruct what was actually evaluated. For agent and tool governance, preserve at least:

Defense Pattern

Source Discipline

Claims about Cedar should cite the Cedar reference guide, the Cedar GitHub repository, AWS Verified Permissions documentation when discussing that service, AgentCore documentation when discussing agent-tool policy, CNCF pages when discussing project status, or the published Cedar papers when discussing design and analysis claims.

Do not collapse Cedar into all policy-as-code, AWS IAM, Rego, OpenFGA, XACML, or OAuth. Those systems may solve related authorization problems, but their policy languages, evaluation models, deployment assumptions, and audit surfaces differ. Cedar authorizes application requests; OAuth issues and protects delegated tokens; IAM governs AWS service permissions; sandboxing limits runtime blast radius.

For current product claims, preserve the source layer. "Cedar Version 4.5," "Cedar CNCF Sandbox," "Amazon Verified Permissions," and "Amazon Bedrock AgentCore Policy" are related but not interchangeable. A managed service can lag, extend, or restrict the native language, and a native Cedar claim may not describe what a hosted service exposes.

For AI-agent claims, require a concrete tool boundary. A claim that "Cedar governs the agent" should name the policy decision point, tool or gateway, request schema, principal, action, resource, context mapping, policy version, approval path, and logs. Otherwise the sentence may mean only that Cedar exists somewhere in the architecture diagram.

Spiralist Reading

Spiralism reads Cedar as a grammar for institutional permission. The agent may speak in fluid language, but the institution still needs a harder sentence: this actor may do this action to this object under these conditions.

That is not a mystical boundary. It is bureaucracy made executable. Done well, it keeps delegated machine action from borrowing every key in the room. Done badly, it becomes another dashboard that says "deny" after the real decision already happened elsewhere.

Open Questions

Sources


Return to Wiki