Welcome back to my series on AWS Verified Permissions (AVP)! In the previous blogpost, we delved into the concept of Policy Templates and how they can simplify policy management in your applications. Today, we're going to discuss two important aspects of any enterprise-grade authorization system: auditing and pricing.
In any enterprise-grade system, auditing is a crucial component. It allows you to track and record every action taken within your system, providing a clear and transparent record of who did what and when. This is not only important for security and compliance purposes, but also for troubleshooting and understanding user behavior.
With AVP, you can leverage AWS CloudTrail to audit your authorization system. AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. It provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services.
When integrated with AVP, CloudTrail can record all API calls made by or on behalf of AVP in your AWS account. This includes calls made by the AVP console and code calls to the AVP APIs. By using CloudTrail, you can log, continuously monitor, and retain information about these API calls for a period of time defined by your organization's requirements.
Let's see how we can set up auditing for our AVP usage:
First, we need to ensure that AWS CloudTrail is enabled in our AWS account. You can do this by navigating to the CloudTrail console and following the prompts to create a new trail.
Once CloudTrail is enabled, it will automatically record all API calls made by AVP. These logs are stored in an Amazon S3 bucket specified during the setup of CloudTrail.
To view the logs, navigate to the CloudTrail Dashboard (it displays an overview of your trails and recent events). Navigate to Event history to see the most recent events in AWS account.
- Open one of these events to view the details of the API calls. You'll see information such as the identity of the caller, the time of the call, the source IP address of the call, the request parameters, and the response elements returned by the AVP service.
- You can also use CloudTrail to set up alarms and notifications (CloudWatch) for specific API activities. This can be useful for monitoring specific actions or detecting unusual activity in your AVP usage.
Feel free to generate some activity in AVP and see how it appears in our CloudTrail logs. You can use AVP CLI tool to create a policy store, add a schema, and create a policy. After running these commands, you can check our CloudTrail logs to see the recorded API calls.
By auditing your AVP usage with CloudTrail, you can maintain a comprehensive record of all authorization activity in your application. This can help you meet compliance requirements, detect security incidents, and gain insights into user behavior.
Feel free to read more about AVP with CloudTrail here.
Understanding the cost of using a service like AVP is crucial for planning and budgeting your application's infrastructure. AVP pricing is based on the number of authorization requests and policy management actions your application performs each month. Let's break down these costs:
Authorization Requests: These are calls to the
isAuthorized API operation. The cost depends on the number of requests, with the first 40 million requests per month costing $150 per million requests, the next 60 million requests costing $75 per million requests, and any additional requests costing $40 per million requests.
Policy Management Actions: These are calls to API operations that manage policies, such as
ListPolicyTemplates. These actions cost $40 per million requests, regardless of the number of requests.
Now, let's consider two examples to understand how these costs might add up in real-world scenarios:
Example 1: Small Application
Suppose you have a small application with 10,000 active users, each of whom makes 3 authorization requests per day. This adds up to 30,000 authorization requests per day, or 900,000 requests per month. In addition, let's say you perform 10,000 policy management actions per month. Your charges would be calculated as follows:
- Authorization Requests: 900,000 requests * $150 / 1,000,000 = $135
- Policy Management Actions: 10,000 requests * $40 / 1,000,000 = $0.4
Total Charges: $135.4/month
Example 2: Large Application
Now, let's consider a larger application with 1 million active users, each of whom makes 2 authorization requests per day. This adds up to 2 million authorization requests per day, or 60 million requests per month. In addition, let's say you perform 1 million policy management actions per month. Your charges would be calculated as follows:
- First 40 million Authorization Requests: 40 million requests * $150 / 1,000,000 = $6,000
- Next 20 million Authorization Requests: 20 million requests * $75 / 1,000,000 = $1,500
- Policy Management Actions: 1 million requests * $40 / 1,000,000 = $40
Total Charges: $7,540/month
The cost of using AVP can vary significantly depending on the scale of your application and the number of authorization requests and policy management actions you perform. It's important to consider these costs when planning your application's architecture and budget.
However, it's also crucial to consider the alternative: building your own authorization system from scratch. This approach can be time-consuming and challenging, especially if your team is not familiar with Rust, the language in which Cedar is written. The development costs can also be high, as you'll need to invest significant resources into creating, testing, and maintaining your own system.
Moreover, if you choose not to use AVP, you'll miss out on several key features. AVP provides a policy store, a test bench, configuration with identity sources, and auditing with AWS CloudTrail. If you build your own system using the Cedar engine, you'll only have the authorization decision functionality, and you'll need to implement these other features yourself.
In contrast, using a managed service like AVP can save you a lot of time and effort. AVP is ready to use right out of the box, and it's designed to scale with your application as it grows. Plus, because AVP uses Cedar as its policy language, you have the flexibility to switch to a self-hosted Cedar system in the future if AVP becomes too costly.
There's been a lot of discussion within the community about the pricing of AVP. Some developers are concerned about the potential costs of using a managed service, especially for larger applications. However, it's important to remember that building and maintaining your own authorization system also has costs, both in terms of time and money.
When you're considering whether to use AVP, think about the resources you have available and the needs of your application. If you have a small team or a tight budget, using AVP could be a more cost-effective option than building your own system. If you have a larger team and more resources, you might prefer the flexibility and control of a self-hosted system.
In the end, the best choice depends on your specific circumstances. But no matter which option you choose, using a policy language like Cedar can help you implement fine-grained, attribute-based access control in a secure and efficient way.
In the next blogpost, we'll continue exploring advanced features of AVP. We'll delve into another critical aspect of application security: identity management. We'll explore how to integrate AVP with AWS Cognito.