By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Amazon Verified Permissions (AVP) in distributed systems

0

Hello, I am struggling to understand where to place AVP. The architecture of my system is composed of:

  • An HTTP API Gateway, as ingress proxying all the requests to an ECS app (APP1) responsible for Authorization and Authentication;
  • A bunch of microservices deployed on the same cluster.
  • The microservices are only accessible through the APP1.
  • The authentication/authorization are performed on the APP1 keeping the microservices agnostic to auth mechanisms.

So using AVP I can prevent unhautorized request based on user role and permissions. The APP1 can communicate with AVP for scenarios like:

  1. Can the user Bob see the list of orders?
  2. Can the user Bob create a new order?

But as soon AVP needs to prevent BOB to access other users orders, things get more complicated: The app APP1 knows who is the owner of the order, only after the order-service (a container running inside ECS) returns the order or the list of orders.

So an hypothetical flow for getting an order and to check if BOB is the owner could be:

  • GET /orders/O-12345;
  • Check, using AVP, if BOB is authorized to retrieve orders;
  • Send a request to the order-service to get the order using the id O-12345 and the username BOB;
  • checking if the order returned from the order-service is compliant with the AVP policy "Users can only see their orders".

What do you think? Do you see any issue in the current flow? Do you think sending 2 requests to AVP is a good decision?

Thanks for your time, Francesco

Topics
Security, Identity, & ComplianceServerlessFront-End Web & MobileNetworking & Content DeliveryMicroservicesManagement & Governance
Tags
Security, Identity, & ComplianceAmazon API GatewayMicroservicesAmazon Verified Permissions
Language
English
Francesco Passanti
asked 2 months ago209 views
1 Answer
1

Multiple authorization checks to Verified Permissions is a useful pattern. In this example, the first check on listing orders for a user might prevent an extra database call just to get Order O-12345. It also creates separate policies which can be easier to reason about and audit later, without looking at the APP1 code.

Some questions you (and future readers) can ask themselves.

  1. Does the BatchIsAuthorized API help here? Are both checks always made?
  2. Is there a concern about latency where a local cache could help? Would Amazon Verified Permissions (avp) Local Agent fit in your architecture?

I might challenge the "microservices agnostic to auth mechanisms" assumption depending on other parts of APP1 architecture. In a "zero trust" model, these microservices won't just trust an API call over the local network, and have some sort of auth. But, if you are using mTLS or minting your own tokens your microservices can trust, this may be mitigated.

profile pictureAWS
hakanson
answered 2 months ago
  • Francesco Passanti
    2 months ago

    Thank for the answer.

    Both requests are always sent when the APP1 needs to check the ownership on a resource or a set of resources. Then, I believe that cache mechansims can be used to reduce the number of interactions with AVP as mentioned on the re:Invent video https://www.youtube.com/watch?v=ptzb-oBwjxM. Latency is very important but since the app will be a SAAS, data security has an higher priority. AVP is not the cheapest service among AWS services but with the right optimisations and a proper useage, it can solve very complex problem.

    I will have a look to AVP local agent. Thanks for the suggestion.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content