This is the new *CloudFormation Template Reference Guide*. Please update your bookmarks and links. For help getting started with CloudFormation, see the [AWS CloudFormation User Guide](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html). # AWS::VerifiedPermissions::Policy Creates or updates a Cedar policy and saves it in the specified policy store. You can create either a static policy or a policy linked to a policy template. You can directly update only static policies. To update a template-linked policy, you must update its linked policy template instead. + To create a static policy, in the `Definition` include a `Static` element that includes the Cedar policy text in the `Statement` element. + To create a policy that is dynamically linked to a policy template, in the `Definition` include a `Templatelinked` element that specifies the policy template ID and the principal and resource to associate with this policy. If the policy template is ever updated, any policies linked to the policy template automatically use the updated template. **Note** If policy validation is enabled in the policy store, then updating a static policy causes Verified Permissions to validate the policy against the schema in the policy store. If the updated static policy doesn't pass validation, the operation fails and the update isn't stored. When you edit a static policy, You can change only certain elements of a static policy: The action referenced by the policy. A condition clause, such as when and unless. You can't change these elements of a static policy: Changing a policy from a static policy to a template-linked policy. Changing the effect of a static policy from permit or forbid. The principal referenced by a static policy. The resource referenced by a static policy. To update a template-linked policy, you must update the template instead. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::VerifiedPermissions::Policy", "Properties" : { "[Definition](#cfn-verifiedpermissions-policy-definition)" : PolicyDefinition, "[PolicyStoreId](#cfn-verifiedpermissions-policy-policystoreid)" : String } } ``` ### YAML ``` Type: AWS::VerifiedPermissions::Policy Properties: [Definition](#cfn-verifiedpermissions-policy-definition): PolicyDefinition [PolicyStoreId](#cfn-verifiedpermissions-policy-policystoreid): String ``` ## Properties `Definition` Specifies the policy type and content to use for the new or updated policy. The definition structure must include either a `Static` or a `TemplateLinked` element. *Required*: Yes *Type*: [PolicyDefinition](aws-properties-verifiedpermissions-policy-policydefinition.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `PolicyStoreId` Specifies the `PolicyStoreId` of the policy store you want to store the policy in. To specify a policy store, use its ID or alias name. When using an alias name, prefix it with `policy-store-alias/`. For example: + ID: `PSEXAMPLEabcdefg111111` + Alias name: `policy-store-alias/example-policy-store` To view aliases, use [ListPolicyStoreAliases](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_ListPolicyStoreAliases.html). *Required*: Yes *Type*: String *Pattern*: `^[a-zA-Z0-9-]*$` *Minimum*: `1` *Maximum*: `200` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the unique id of the new or updated policy. For example: `{ "Ref": "SPEXAMPLEabcdefg111111" }` For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). #### `PolicyId` The unique ID of the new or updated policy. `PolicyType` The type of the policy. This is one of the following values: + Static + TemplateLinked ## Examples **Topics** + [Creating a static policy](#aws-resource-verifiedpermissions-policy--examples--Creating_a_static_policy) + [Creating a template-linked policy](#aws-resource-verifiedpermissions-policy--examples--Creating_a_template-linked_policy) ### Creating a static policy The following example creates a static policy in the specified policy store with the specified policy statement. #### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Description": "AWS CloudFormation sample template for creating a static policy for Verified Permissions", "Parameters": { "PolicyStoreId": { "Type": "String" }, "Description": { "Type": "String" }, "Statement": { "Type": "String" } }, "Resources": { "StaticPolicy": { "Type": "AWS::VerifiedPermissions::Policy", "Properties": { "PolicyStoreId": { "Ref": "PolicyStoreId" }, "Definition": { "Static": { "Description": { "Ref": "Description" }, "Statement": { "Ref": "Statement" } } } } } }, "Outputs": { "PolicyId": { "Value": { "Fn::GetAtt": [ "StaticPolicy", "PolicyId" ] } } } } ``` #### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Description: >- Description": "AWS CloudFormation sample template for creating a static policy for Verified Permissions." Parameters: PolicyStoreId: Type: String Description: Type: String Statement: Type: String Resources: StaticPolicy: Type: AWS::VerifiedPermissions::Policy Properties: PolicyStoreId: !Ref PolicyStoreId Definition: Static: Description: !Ref Description Statement: !Ref Statement Outputs: PolicyId: Value: !GetAtt StaticPolicy.PolicyId ``` ### Creating a template-linked policy The following example creates a policy that is linked to the specified policy template. You must specify the type and ID for the placeholders in your template. #### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Description": "AWS CloudFormation sample template for creating a template-linked policy for Verified Permissions.", "Parameters": { "PolicyStoreId": { "Type": "String" }, "PolicyTemplateId": { "Type": "String" }, "PrincipalType": { "Type": "String" }, "PrincipalId": { "Type": "String" }, "ResourceType": { "Type": "String" }, "ResourceId": { "Type": "String" } }, "Resources": { "TemplateLinkedPolicy": { "Type": "AWS::VerifiedPermissions::Policy", "Properties": { "PolicyStoreId": { "Ref": "PolicyStoreId" }, "Definition": { "TemplateLinked": { "PolicyTemplateId": { "Ref": "PolicyTemplateId" }, "Principal": { "EntityType": { "Ref": "PrincipalType" }, "EntityId": { "Ref": "PrincipalId" } }, "Resource": { "EntityType": { "Ref": "ResourceType" }, "EntityId": { "Ref": "ResourceId" } } } } } } }, "Outputs": { "PolicyId": { "Value": { "Fn::GetAtt": [ "TemplateLinkedPolicy", "PolicyId" ] } } } } ``` #### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Description: >- Description": "AWS CloudFormation sample template for creating a template-linked policy for Verified Permissions." Parameters: PolicyStoreId: Type: String PolicyTemplateId: Type: String PrincipalType: Type: String PrincipalId: Type: String ResourceType: Type: String ResourceId: Type: String Resources: TemplateLinkedPolicy: Type: AWS::VerifiedPermissions::Policy Properties: PolicyStoreId: !Ref PolicyStoreId Definition: TemplateLinked: PolicyTemplateId: !Ref PolicyTemplateId Principal: EntityType: !Ref PrincipalType EntityId: !Ref PrincipalId Resource: EntityType: !Ref ResourceType EntityId: !Ref ResourceId Outputs: PolicyId: Value: !GetAtt TemplateLinkedPolicy.PolicyId ``` # AWS::VerifiedPermissions::Policy EntityIdentifier Contains the identifier of an entity in a policy, including its ID and type. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[EntityId](#cfn-verifiedpermissions-policy-entityidentifier-entityid)" : String, "[EntityType](#cfn-verifiedpermissions-policy-entityidentifier-entitytype)" : String } ``` ### YAML ``` [EntityId](#cfn-verifiedpermissions-policy-entityidentifier-entityid): String [EntityType](#cfn-verifiedpermissions-policy-entityidentifier-entitytype): String ``` ## Properties `EntityId` The identifier of an entity. `"entityId":"identifier"` *Required*: Yes *Type*: String *Pattern*: `^.*$` *Minimum*: `1` *Maximum*: `200` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `EntityType` The type of an entity. Example: `"entityType":"typeName"` *Required*: Yes *Type*: String *Pattern*: `^.*$` *Minimum*: `1` *Maximum*: `200` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::VerifiedPermissions::Policy PolicyDefinition A structure that defines a Cedar policy. It includes the policy type, a description, and a policy body. This is a top level data type used to create a policy. This data type is used as a request parameter for the [CreatePolicy](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CreatePolicy.html) operation. This structure must always have either an `Static` or a `TemplateLinked` element. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Static](#cfn-verifiedpermissions-policy-policydefinition-static)" : StaticPolicyDefinition, "[TemplateLinked](#cfn-verifiedpermissions-policy-policydefinition-templatelinked)" : TemplateLinkedPolicyDefinition } ``` ### YAML ``` [Static](#cfn-verifiedpermissions-policy-policydefinition-static): StaticPolicyDefinition [TemplateLinked](#cfn-verifiedpermissions-policy-policydefinition-templatelinked): TemplateLinkedPolicyDefinition ``` ## Properties `Static` A structure that describes a static policy. An static policy doesn't use a template or allow placeholders for entities. *Required*: No *Type*: [StaticPolicyDefinition](aws-properties-verifiedpermissions-policy-staticpolicydefinition.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `TemplateLinked` A structure that describes a policy that was instantiated from a template. The template can specify placeholders for `principal` and `resource`. When you use [CreatePolicy](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CreatePolicy.html) to create a policy from a template, you specify the exact principal and resource to use for the instantiated policy. *Required*: No *Type*: [TemplateLinkedPolicyDefinition](aws-properties-verifiedpermissions-policy-templatelinkedpolicydefinition.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::VerifiedPermissions::Policy StaticPolicyDefinition A structure that defines a static policy. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Description](#cfn-verifiedpermissions-policy-staticpolicydefinition-description)" : String, "[Statement](#cfn-verifiedpermissions-policy-staticpolicydefinition-statement)" : String } ``` ### YAML ``` [Description](#cfn-verifiedpermissions-policy-staticpolicydefinition-description): String [Statement](#cfn-verifiedpermissions-policy-staticpolicydefinition-statement): String ``` ## Properties `Description` The description of the static policy. *Required*: No *Type*: String *Minimum*: `0` *Maximum*: `150` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Statement` The policy content of the static policy, written in the Cedar policy language. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `10000` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::VerifiedPermissions::Policy TemplateLinkedPolicyDefinition A structure that describes a policy created by instantiating a policy template. **Note** You can't directly update a template-linked policy. You must update the associated policy template instead. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[PolicyTemplateId](#cfn-verifiedpermissions-policy-templatelinkedpolicydefinition-policytemplateid)" : String, "[Principal](#cfn-verifiedpermissions-policy-templatelinkedpolicydefinition-principal)" : EntityIdentifier, "[Resource](#cfn-verifiedpermissions-policy-templatelinkedpolicydefinition-resource)" : EntityIdentifier } ``` ### YAML ``` [PolicyTemplateId](#cfn-verifiedpermissions-policy-templatelinkedpolicydefinition-policytemplateid): String [Principal](#cfn-verifiedpermissions-policy-templatelinkedpolicydefinition-principal): EntityIdentifier [Resource](#cfn-verifiedpermissions-policy-templatelinkedpolicydefinition-resource): EntityIdentifier ``` ## Properties `PolicyTemplateId` The unique identifier of the policy template used to create this policy. *Required*: Yes *Type*: String *Pattern*: `^[a-zA-Z0-9-]*$` *Minimum*: `1` *Maximum*: `200` *Update requires*: Updates are not supported. `Principal` The principal associated with this template-linked policy. Verified Permissions substitutes this principal for the `?principal` placeholder in the policy template when it evaluates an authorization request. *Required*: No *Type*: [EntityIdentifier](aws-properties-verifiedpermissions-policy-entityidentifier.md) *Update requires*: Updates are not supported. `Resource` The resource associated with this template-linked policy. Verified Permissions substitutes this resource for the `?resource` placeholder in the policy template when it evaluates an authorization request. *Required*: No *Type*: [EntityIdentifier](aws-properties-verifiedpermissions-policy-entityidentifier.md) *Update requires*: Updates are not supported.