This is the new *CloudFormation Template Reference Guide*. Please update your bookmarks and links. For help getting started with CloudFormation, see the [AWS CloudFormation User Guide](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html). # Amazon Verified Permissions Amazon Verified Permissions is a permissions management service from AWS. You can use Verified Permissions to manage permissions for your application, and authorize user access based on those permissions. Using Verified Permissions, application developers can grant access based on information about the users, resources, and requested actions. You can also evaluate additional information like group membership, attributes of the resources, and session context, such as time of request and IP addresses. Verified Permissions manages these permissions by letting you create and store authorization policies for your applications, such as consumer-facing web sites and enterprise business systems. Verified Permissions uses Cedar as the policy language to express your permission requirements. Cedar supports both role-based access control (RBAC) and attribute-based access control (ABAC) authorization models. For more information about configuring, administering, and using Amazon Verified Permissions in your applications, see the [Amazon Verified Permissions User Guide](https://docs.aws.amazon.com/verifiedpermissions/latest/userguide). For more information about the Cedar policy language, see the [Cedar Language Reference Guide](https://docs.cedarpolicy.com). **Important** When you write Cedar policies that reference principals, resources and actions, you can define the unique identifiers used for each of those elements. We strongly recommend that you follow these best practices: **Use values like universally unique identifiers (UUIDs) for all principal and resource identifiers.** For example, if user `jane` leaves the company, and you later let someone else use the name `jane`, then that new user automatically gets access to everything granted by policies that still reference `User::"jane"`. Cedar can't distinguish between the new user and the old. This applies to both principal and resource identifiers. Always use identifiers that are guaranteed unique and never reused to ensure that you don't unintentionally grant access because of the presence of an old identifier in a policy. Where you use a UUID for an entity, we recommend that you follow it with the // comment specifier and the 'friendly' name of your entity. This helps to make your policies easier to understand. For example: `principal == User::"a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111", // alice` **Do not include personally identifying, confidential, or sensitive information as part of the unique identifier for your principals or resources.** These identifiers are included in log entries shared in AWS CloudTrail trails. **Resource types** + [AWS::VerifiedPermissions::IdentitySource](aws-resource-verifiedpermissions-identitysource.md) + [AWS::VerifiedPermissions::Policy](aws-resource-verifiedpermissions-policy.md) + [AWS::VerifiedPermissions::PolicyStore](aws-resource-verifiedpermissions-policystore.md) + [AWS::VerifiedPermissions::PolicyTemplate](aws-resource-verifiedpermissions-policytemplate.md) # AWS::VerifiedPermissions::IdentitySource Creates or updates a reference to Amazon Cognito as an external identity provider. If you are creating a new identity source, then you must specify a `Configuration`. If you are updating an existing identity source, then you must specify an `UpdateConfiguration`. After you create an identity source, you can use the identities provided by the IdP as proxies for the principal in authorization queries that use the [IsAuthorizedWithToken](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_IsAuthorizedWithToken.html) operation. These identities take the form of tokens that contain claims about the user, such as IDs, attributes and group memberships. Amazon Cognito provides both identity tokens and access tokens, and Verified Permissions can use either or both. Any combination of identity and access tokens results in the same Cedar principal. Verified Permissions automatically translates the information about the identities into the standard Cedar attributes that can be evaluated by your policies. Because the Amazon Cognito identity and access tokens can contain different information, the tokens you choose to use determine the attributes that are available to access in the Cedar principal from your policies. Amazon Cognito Identity is not available in all of the same AWS Regions as Amazon Verified Permissions. Because of this, the `AWS::VerifiedPermissions::IdentitySource` type is not available to create from CloudFormation in Regions where Amazon Cognito Identity is not currently available. Users can still create `AWS::VerifiedPermissions::IdentitySource` in those Regions, but only from the AWS CLI, Amazon Verified Permissions SDK, or from the AWS console. **Note** To reference a user from this identity source in your Cedar policies, use the following syntax. *IdentityType::"\$1* Where `IdentityType` is the string that you provide to the `PrincipalEntityType` parameter for this operation. The `CognitoUserPoolId` and `CognitoClientId` are defined by the Amazon Cognito user pool. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::VerifiedPermissions::IdentitySource", "Properties" : { "[Configuration](#cfn-verifiedpermissions-identitysource-configuration)" : IdentitySourceConfiguration, "[PolicyStoreId](#cfn-verifiedpermissions-identitysource-policystoreid)" : String, "[PrincipalEntityType](#cfn-verifiedpermissions-identitysource-principalentitytype)" : String } } ``` ### YAML ``` Type: AWS::VerifiedPermissions::IdentitySource Properties: [Configuration](#cfn-verifiedpermissions-identitysource-configuration): IdentitySourceConfiguration [PolicyStoreId](#cfn-verifiedpermissions-identitysource-policystoreid): String [PrincipalEntityType](#cfn-verifiedpermissions-identitysource-principalentitytype): String ``` ## Properties `Configuration` Contains configuration information used when creating a new identity source. *Required*: Yes *Type*: [IdentitySourceConfiguration](aws-properties-verifiedpermissions-identitysource-identitysourceconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `PolicyStoreId` Specifies the ID of the policy store in which you want to store this identity source. Only policies and requests made using this policy store can reference identities from the identity provider configured in the new identity source. To specify a policy store, use its ID or alias name. When using an alias name, prefix it with `policy-store-alias/`. For example: + ID: `PSEXAMPLEabcdefg111111` + Alias name: `policy-store-alias/example-policy-store` To view aliases, use [ListPolicyStoreAliases](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_ListPolicyStoreAliases.html). *Required*: Yes *Type*: String *Pattern*: `^[a-zA-Z0-9-]*$` *Minimum*: `1` *Maximum*: `200` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `PrincipalEntityType` Specifies the namespace and data type of the principals generated for identities authenticated by the new identity source. *Required*: No *Type*: String *Pattern*: `^.*$` *Minimum*: `1` *Maximum*: `200` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the unique id of the new identity source. For example: `{ "Ref": "ISEXAMPLEabcdefg111111" }` For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). #### `IdentitySourceId` The unique ID of the new or updated identity store. ## Examples ### Creating an identity source for a Amazon Cognito user pool The following example creates an identity source in the specified policy store that points to a Amazon Cognito user pool using the specified client ID. The new identity source returns objects of the specified data type. #### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Description": "AWS CloudFormation sample template for creating an identity source for Verified Permissions.", "Parameters": { "PolicyStoreId": { "Type": "String" }, "UserPoolArn": { "Type": "String" }, "ClientIds": { "Type": "List" }, "PrincipalEntityType": { "Type": "String" } }, "Resources": { "IdentitySource": { "Type": "AWS::VerifiedPermissions::IdentitySource", "Properties": { "PolicyStoreId": { "Ref": "PolicyStoreId" }, "Configuration": { "CognitoUserPoolConfiguration": { "UserPoolArn": { "Ref": "UserPoolArn" }, "ClientIds": { "Ref": "ClientIds" } } }, "PrincipalEntityType": { "Ref": "PrincipalEntityType" } } } }, "Outputs": { "IdentitySourceId": { "Value": { "Fn::GetAtt": [ "IdentitySource", "IdentitySourceId" ] } } } } ``` #### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Description: >- Description": "AWS CloudFormation sample template for creating an identity source for Verified Permissions Parameters: PolicyStoreId: Type: String UserPoolArn: Type: String ClientIds: Type: List PrincipalEntityType: Type: String Resources: IdentitySource: Type: AWS::VerifiedPermissions::IdentitySource Properties: PolicyStoreId: !Ref PolicyStoreId Configuration: CognitoUserPoolConfiguration: UserPoolArn: !Ref UserPoolArn ClientIds: !Ref ClientIds PrincipalEntityType: !Ref PrincipalEntityType Outputs: IdentitySourceId: Value: !GetAtt IdentitySource.IdentitySourceId ``` # AWS::VerifiedPermissions::IdentitySource CognitoGroupConfiguration The type of entity that a policy store maps to groups from an Amazon Cognito user pool identity source. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[GroupEntityType](#cfn-verifiedpermissions-identitysource-cognitogroupconfiguration-groupentitytype)" : String } ``` ### YAML ``` [GroupEntityType](#cfn-verifiedpermissions-identitysource-cognitogroupconfiguration-groupentitytype): String ``` ## Properties `GroupEntityType` The name of the schema entity type that's mapped to the user pool group. Defaults to `AWS::CognitoGroup`. *Required*: Yes *Type*: String *Pattern*: `^([_a-zA-Z][_a-zA-Z0-9]*::)*[_a-zA-Z][_a-zA-Z0-9]*$` *Minimum*: `1` *Maximum*: `200` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::VerifiedPermissions::IdentitySource CognitoUserPoolConfiguration A structure that contains configuration information used when creating or updating an identity source that represents a connection to an Amazon Cognito user pool used as an identity provider for Verified Permissions. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[ClientIds](#cfn-verifiedpermissions-identitysource-cognitouserpoolconfiguration-clientids)" : [ String, ... ], "[GroupConfiguration](#cfn-verifiedpermissions-identitysource-cognitouserpoolconfiguration-groupconfiguration)" : CognitoGroupConfiguration, "[UserPoolArn](#cfn-verifiedpermissions-identitysource-cognitouserpoolconfiguration-userpoolarn)" : String } ``` ### YAML ``` [ClientIds](#cfn-verifiedpermissions-identitysource-cognitouserpoolconfiguration-clientids): - String [GroupConfiguration](#cfn-verifiedpermissions-identitysource-cognitouserpoolconfiguration-groupconfiguration): CognitoGroupConfiguration [UserPoolArn](#cfn-verifiedpermissions-identitysource-cognitouserpoolconfiguration-userpoolarn): String ``` ## Properties `ClientIds` The unique application client IDs that are associated with the specified Amazon Cognito user pool. Example: `"ClientIds": ["&ExampleCogClientId;"]` *Required*: No *Type*: Array of String *Minimum*: `1 | 0` *Maximum*: `255 | 1000` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `GroupConfiguration` The type of entity that a policy store maps to groups from an Amazon Cognito user pool identity source. *Required*: No *Type*: [CognitoGroupConfiguration](aws-properties-verifiedpermissions-identitysource-cognitogroupconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `UserPoolArn` The [Amazon Resource Name (ARN)](https://docs.aws.amazon.com//general/latest/gr/aws-arns-and-namespaces.html) of the Amazon Cognito user pool that contains the identities to be authorized. *Required*: Yes *Type*: String *Pattern*: `^arn:[a-zA-Z0-9-]+:cognito-idp:(([a-zA-Z0-9-]+:\d{12}:userpool/[\w-]+_[0-9a-zA-Z]+))$` *Minimum*: `1` *Maximum*: `255` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::VerifiedPermissions::IdentitySource IdentitySourceConfiguration A structure that contains configuration information used when creating or updating a new identity source. **Note** At this time, the only valid member of this structure is a Amazon Cognito user pool configuration. You must specify a `userPoolArn`, and optionally, a `ClientId`. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[CognitoUserPoolConfiguration](#cfn-verifiedpermissions-identitysource-identitysourceconfiguration-cognitouserpoolconfiguration)" : CognitoUserPoolConfiguration, "[OpenIdConnectConfiguration](#cfn-verifiedpermissions-identitysource-identitysourceconfiguration-openidconnectconfiguration)" : OpenIdConnectConfiguration } ``` ### YAML ``` [CognitoUserPoolConfiguration](#cfn-verifiedpermissions-identitysource-identitysourceconfiguration-cognitouserpoolconfiguration): CognitoUserPoolConfiguration [OpenIdConnectConfiguration](#cfn-verifiedpermissions-identitysource-identitysourceconfiguration-openidconnectconfiguration): OpenIdConnectConfiguration ``` ## Properties `CognitoUserPoolConfiguration` A structure that contains configuration information used when creating or updating an identity source that represents a connection to an Amazon Cognito user pool used as an identity provider for Verified Permissions. *Required*: No *Type*: [CognitoUserPoolConfiguration](aws-properties-verifiedpermissions-identitysource-cognitouserpoolconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `OpenIdConnectConfiguration` Property description not available. *Required*: No *Type*: [OpenIdConnectConfiguration](aws-properties-verifiedpermissions-identitysource-openidconnectconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::VerifiedPermissions::IdentitySource OpenIdConnectAccessTokenConfiguration The configuration of an OpenID Connect (OIDC) identity source for handling access token claims. Contains the claim that you want to identify as the principal in an authorization request, and the values of the `aud` claim, or audiences, that you want to accept. This data type is part of a [OpenIdConnectTokenSelection](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_OpenIdConnectTokenSelection.html) structure, which is a parameter of [CreateIdentitySource](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CreateIdentitySource.html). ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Audiences](#cfn-verifiedpermissions-identitysource-openidconnectaccesstokenconfiguration-audiences)" : [ String, ... ], "[PrincipalIdClaim](#cfn-verifiedpermissions-identitysource-openidconnectaccesstokenconfiguration-principalidclaim)" : String } ``` ### YAML ``` [Audiences](#cfn-verifiedpermissions-identitysource-openidconnectaccesstokenconfiguration-audiences): - String [PrincipalIdClaim](#cfn-verifiedpermissions-identitysource-openidconnectaccesstokenconfiguration-principalidclaim): String ``` ## Properties `Audiences` The access token `aud` claim values that you want to accept in your policy store. For example, `https://myapp.example.com, https://myapp2.example.com`. *Required*: No *Type*: Array of String *Minimum*: `1 | 1` *Maximum*: `255 | 255` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `PrincipalIdClaim` The claim that determines the principal in OIDC access tokens. For example, `sub`. *Required*: No *Type*: String *Minimum*: `1` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::VerifiedPermissions::IdentitySource OpenIdConnectConfiguration Contains configuration details of an OpenID Connect (OIDC) identity provider, or identity source, that Verified Permissions can use to generate entities from authenticated identities. It specifies the issuer URL, token type that you want to use, and policy store entity details. This data type is part of a [Configuration](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_Configuration.html) structure, which is a parameter to [CreateIdentitySource](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CreateIdentitySource.html). ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[EntityIdPrefix](#cfn-verifiedpermissions-identitysource-openidconnectconfiguration-entityidprefix)" : String, "[GroupConfiguration](#cfn-verifiedpermissions-identitysource-openidconnectconfiguration-groupconfiguration)" : OpenIdConnectGroupConfiguration, "[Issuer](#cfn-verifiedpermissions-identitysource-openidconnectconfiguration-issuer)" : String, "[TokenSelection](#cfn-verifiedpermissions-identitysource-openidconnectconfiguration-tokenselection)" : OpenIdConnectTokenSelection } ``` ### YAML ``` [EntityIdPrefix](#cfn-verifiedpermissions-identitysource-openidconnectconfiguration-entityidprefix): String [GroupConfiguration](#cfn-verifiedpermissions-identitysource-openidconnectconfiguration-groupconfiguration): OpenIdConnectGroupConfiguration [Issuer](#cfn-verifiedpermissions-identitysource-openidconnectconfiguration-issuer): String [TokenSelection](#cfn-verifiedpermissions-identitysource-openidconnectconfiguration-tokenselection): OpenIdConnectTokenSelection ``` ## Properties `EntityIdPrefix` A descriptive string that you want to prefix to user entities from your OIDC identity provider. For example, if you set an `entityIdPrefix` of `MyOIDCProvider`, you can reference principals in your policies in the format `MyCorp::User::MyOIDCProvider|Carlos`. *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `100` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `GroupConfiguration` The claim in OIDC identity provider tokens that indicates a user's group membership, and the entity type that you want to map it to. For example, this object can map the contents of a `groups` claim to `MyCorp::UserGroup`. *Required*: No *Type*: [OpenIdConnectGroupConfiguration](aws-properties-verifiedpermissions-identitysource-openidconnectgroupconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Issuer` The issuer URL of an OIDC identity provider. This URL must have an OIDC discovery endpoint at the path `.well-known/openid-configuration`. *Required*: Yes *Type*: String *Pattern*: `^https://.*$` *Minimum*: `1` *Maximum*: `2048` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `TokenSelection` The token type that you want to process from your OIDC identity provider. Your policy store can process either identity (ID) or access tokens from a given OIDC identity source. *Required*: Yes *Type*: [OpenIdConnectTokenSelection](aws-properties-verifiedpermissions-identitysource-openidconnecttokenselection.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::VerifiedPermissions::IdentitySource OpenIdConnectGroupConfiguration The claim in OIDC identity provider tokens that indicates a user's group membership, and the entity type that you want to map it to. For example, this object can map the contents of a `groups` claim to `MyCorp::UserGroup`. This data type is part of a [OpenIdConnectConfiguration](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_OpenIdConnectConfiguration.html) structure, which is a parameter of [CreateIdentitySource](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CreateIdentitySource.html). ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[GroupClaim](#cfn-verifiedpermissions-identitysource-openidconnectgroupconfiguration-groupclaim)" : String, "[GroupEntityType](#cfn-verifiedpermissions-identitysource-openidconnectgroupconfiguration-groupentitytype)" : String } ``` ### YAML ``` [GroupClaim](#cfn-verifiedpermissions-identitysource-openidconnectgroupconfiguration-groupclaim): String [GroupEntityType](#cfn-verifiedpermissions-identitysource-openidconnectgroupconfiguration-groupentitytype): String ``` ## Properties `GroupClaim` The token claim that you want Verified Permissions to interpret as group membership. For example, `groups`. *Required*: Yes *Type*: String *Minimum*: `1` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `GroupEntityType` The policy store entity type that you want to map your users' group claim to. For example, `MyCorp::UserGroup`. A group entity type is an entity that can have a user entity type as a member. *Required*: Yes *Type*: String *Pattern*: `^([_a-zA-Z][_a-zA-Z0-9]*::)*[_a-zA-Z][_a-zA-Z0-9]*$` *Minimum*: `1` *Maximum*: `200` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::VerifiedPermissions::IdentitySource OpenIdConnectIdentityTokenConfiguration The configuration of an OpenID Connect (OIDC) identity source for handling identity (ID) token claims. Contains the claim that you want to identify as the principal in an authorization request, and the values of the `aud` claim, or audiences, that you want to accept. This data type is part of a [OpenIdConnectTokenSelection](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_OpenIdConnectTokenSelection.html) structure, which is a parameter of [CreateIdentitySource](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CreateIdentitySource.html). ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[ClientIds](#cfn-verifiedpermissions-identitysource-openidconnectidentitytokenconfiguration-clientids)" : [ String, ... ], "[PrincipalIdClaim](#cfn-verifiedpermissions-identitysource-openidconnectidentitytokenconfiguration-principalidclaim)" : String } ``` ### YAML ``` [ClientIds](#cfn-verifiedpermissions-identitysource-openidconnectidentitytokenconfiguration-clientids): - String [PrincipalIdClaim](#cfn-verifiedpermissions-identitysource-openidconnectidentitytokenconfiguration-principalidclaim): String ``` ## Properties `ClientIds` The ID token audience, or client ID, claim values that you want to accept in your policy store from an OIDC identity provider. For example, `1example23456789, 2example10111213`. *Required*: No *Type*: Array of String *Minimum*: `1 | 0` *Maximum*: `255 | 1000` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `PrincipalIdClaim` The claim that determines the principal in OIDC access tokens. For example, `sub`. *Required*: No *Type*: String *Minimum*: `1` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::VerifiedPermissions::IdentitySource OpenIdConnectTokenSelection The token type that you want to process from your OIDC identity provider. Your policy store can process either identity (ID) or access tokens from a given OIDC identity source. This data type is part of a [OpenIdConnectConfiguration](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_OpenIdConnectConfiguration.html) structure, which is a parameter of [CreateIdentitySource](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CreateIdentitySource.html). ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[AccessTokenOnly](#cfn-verifiedpermissions-identitysource-openidconnecttokenselection-accesstokenonly)" : OpenIdConnectAccessTokenConfiguration, "[IdentityTokenOnly](#cfn-verifiedpermissions-identitysource-openidconnecttokenselection-identitytokenonly)" : OpenIdConnectIdentityTokenConfiguration } ``` ### YAML ``` [AccessTokenOnly](#cfn-verifiedpermissions-identitysource-openidconnecttokenselection-accesstokenonly): OpenIdConnectAccessTokenConfiguration [IdentityTokenOnly](#cfn-verifiedpermissions-identitysource-openidconnecttokenselection-identitytokenonly): OpenIdConnectIdentityTokenConfiguration ``` ## Properties `AccessTokenOnly` The OIDC configuration for processing access tokens. Contains allowed audience claims, for example `https://auth.example.com`, and the claim that you want to map to the principal, for example `sub`. *Required*: No *Type*: [OpenIdConnectAccessTokenConfiguration](aws-properties-verifiedpermissions-identitysource-openidconnectaccesstokenconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `IdentityTokenOnly` The OIDC configuration for processing identity (ID) tokens. Contains allowed client ID claims, for example `1example23456789`, and the claim that you want to map to the principal, for example `sub`. *Required*: No *Type*: [OpenIdConnectIdentityTokenConfiguration](aws-properties-verifiedpermissions-identitysource-openidconnectidentitytokenconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::VerifiedPermissions::Policy Creates or updates a Cedar policy and saves it in the specified policy store. You can create either a static policy or a policy linked to a policy template. You can directly update only static policies. To update a template-linked policy, you must update its linked policy template instead. + To create a static policy, in the `Definition` include a `Static` element that includes the Cedar policy text in the `Statement` element. + To create a policy that is dynamically linked to a policy template, in the `Definition` include a `Templatelinked` element that specifies the policy template ID and the principal and resource to associate with this policy. If the policy template is ever updated, any policies linked to the policy template automatically use the updated template. **Note** If policy validation is enabled in the policy store, then updating a static policy causes Verified Permissions to validate the policy against the schema in the policy store. If the updated static policy doesn't pass validation, the operation fails and the update isn't stored. When you edit a static policy, You can change only certain elements of a static policy: The action referenced by the policy. A condition clause, such as when and unless. You can't change these elements of a static policy: Changing a policy from a static policy to a template-linked policy. Changing the effect of a static policy from permit or forbid. The principal referenced by a static policy. The resource referenced by a static policy. To update a template-linked policy, you must update the template instead. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::VerifiedPermissions::Policy", "Properties" : { "[Definition](#cfn-verifiedpermissions-policy-definition)" : PolicyDefinition, "[PolicyStoreId](#cfn-verifiedpermissions-policy-policystoreid)" : String } } ``` ### YAML ``` Type: AWS::VerifiedPermissions::Policy Properties: [Definition](#cfn-verifiedpermissions-policy-definition): PolicyDefinition [PolicyStoreId](#cfn-verifiedpermissions-policy-policystoreid): String ``` ## Properties `Definition` Specifies the policy type and content to use for the new or updated policy. The definition structure must include either a `Static` or a `TemplateLinked` element. *Required*: Yes *Type*: [PolicyDefinition](aws-properties-verifiedpermissions-policy-policydefinition.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `PolicyStoreId` Specifies the `PolicyStoreId` of the policy store you want to store the policy in. To specify a policy store, use its ID or alias name. When using an alias name, prefix it with `policy-store-alias/`. For example: + ID: `PSEXAMPLEabcdefg111111` + Alias name: `policy-store-alias/example-policy-store` To view aliases, use [ListPolicyStoreAliases](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_ListPolicyStoreAliases.html). *Required*: Yes *Type*: String *Pattern*: `^[a-zA-Z0-9-]*$` *Minimum*: `1` *Maximum*: `200` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the unique id of the new or updated policy. For example: `{ "Ref": "SPEXAMPLEabcdefg111111" }` For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). #### `PolicyId` The unique ID of the new or updated policy. `PolicyType` The type of the policy. This is one of the following values: + Static + TemplateLinked ## Examples **Topics** + [Creating a static policy](#aws-resource-verifiedpermissions-policy--examples--Creating_a_static_policy) + [Creating a template-linked policy](#aws-resource-verifiedpermissions-policy--examples--Creating_a_template-linked_policy) ### Creating a static policy The following example creates a static policy in the specified policy store with the specified policy statement. #### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Description": "AWS CloudFormation sample template for creating a static policy for Verified Permissions", "Parameters": { "PolicyStoreId": { "Type": "String" }, "Description": { "Type": "String" }, "Statement": { "Type": "String" } }, "Resources": { "StaticPolicy": { "Type": "AWS::VerifiedPermissions::Policy", "Properties": { "PolicyStoreId": { "Ref": "PolicyStoreId" }, "Definition": { "Static": { "Description": { "Ref": "Description" }, "Statement": { "Ref": "Statement" } } } } } }, "Outputs": { "PolicyId": { "Value": { "Fn::GetAtt": [ "StaticPolicy", "PolicyId" ] } } } } ``` #### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Description: >- Description": "AWS CloudFormation sample template for creating a static policy for Verified Permissions." Parameters: PolicyStoreId: Type: String Description: Type: String Statement: Type: String Resources: StaticPolicy: Type: AWS::VerifiedPermissions::Policy Properties: PolicyStoreId: !Ref PolicyStoreId Definition: Static: Description: !Ref Description Statement: !Ref Statement Outputs: PolicyId: Value: !GetAtt StaticPolicy.PolicyId ``` ### Creating a template-linked policy The following example creates a policy that is linked to the specified policy template. You must specify the type and ID for the placeholders in your template. #### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Description": "AWS CloudFormation sample template for creating a template-linked policy for Verified Permissions.", "Parameters": { "PolicyStoreId": { "Type": "String" }, "PolicyTemplateId": { "Type": "String" }, "PrincipalType": { "Type": "String" }, "PrincipalId": { "Type": "String" }, "ResourceType": { "Type": "String" }, "ResourceId": { "Type": "String" } }, "Resources": { "TemplateLinkedPolicy": { "Type": "AWS::VerifiedPermissions::Policy", "Properties": { "PolicyStoreId": { "Ref": "PolicyStoreId" }, "Definition": { "TemplateLinked": { "PolicyTemplateId": { "Ref": "PolicyTemplateId" }, "Principal": { "EntityType": { "Ref": "PrincipalType" }, "EntityId": { "Ref": "PrincipalId" } }, "Resource": { "EntityType": { "Ref": "ResourceType" }, "EntityId": { "Ref": "ResourceId" } } } } } } }, "Outputs": { "PolicyId": { "Value": { "Fn::GetAtt": [ "TemplateLinkedPolicy", "PolicyId" ] } } } } ``` #### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Description: >- Description": "AWS CloudFormation sample template for creating a template-linked policy for Verified Permissions." Parameters: PolicyStoreId: Type: String PolicyTemplateId: Type: String PrincipalType: Type: String PrincipalId: Type: String ResourceType: Type: String ResourceId: Type: String Resources: TemplateLinkedPolicy: Type: AWS::VerifiedPermissions::Policy Properties: PolicyStoreId: !Ref PolicyStoreId Definition: TemplateLinked: PolicyTemplateId: !Ref PolicyTemplateId Principal: EntityType: !Ref PrincipalType EntityId: !Ref PrincipalId Resource: EntityType: !Ref ResourceType EntityId: !Ref ResourceId Outputs: PolicyId: Value: !GetAtt TemplateLinkedPolicy.PolicyId ``` # AWS::VerifiedPermissions::Policy EntityIdentifier Contains the identifier of an entity in a policy, including its ID and type. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[EntityId](#cfn-verifiedpermissions-policy-entityidentifier-entityid)" : String, "[EntityType](#cfn-verifiedpermissions-policy-entityidentifier-entitytype)" : String } ``` ### YAML ``` [EntityId](#cfn-verifiedpermissions-policy-entityidentifier-entityid): String [EntityType](#cfn-verifiedpermissions-policy-entityidentifier-entitytype): String ``` ## Properties `EntityId` The identifier of an entity. `"entityId":"identifier"` *Required*: Yes *Type*: String *Pattern*: `^.*$` *Minimum*: `1` *Maximum*: `200` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `EntityType` The type of an entity. Example: `"entityType":"typeName"` *Required*: Yes *Type*: String *Pattern*: `^.*$` *Minimum*: `1` *Maximum*: `200` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::VerifiedPermissions::Policy PolicyDefinition A structure that defines a Cedar policy. It includes the policy type, a description, and a policy body. This is a top level data type used to create a policy. This data type is used as a request parameter for the [CreatePolicy](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CreatePolicy.html) operation. This structure must always have either an `Static` or a `TemplateLinked` element. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Static](#cfn-verifiedpermissions-policy-policydefinition-static)" : StaticPolicyDefinition, "[TemplateLinked](#cfn-verifiedpermissions-policy-policydefinition-templatelinked)" : TemplateLinkedPolicyDefinition } ``` ### YAML ``` [Static](#cfn-verifiedpermissions-policy-policydefinition-static): StaticPolicyDefinition [TemplateLinked](#cfn-verifiedpermissions-policy-policydefinition-templatelinked): TemplateLinkedPolicyDefinition ``` ## Properties `Static` A structure that describes a static policy. An static policy doesn't use a template or allow placeholders for entities. *Required*: No *Type*: [StaticPolicyDefinition](aws-properties-verifiedpermissions-policy-staticpolicydefinition.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `TemplateLinked` A structure that describes a policy that was instantiated from a template. The template can specify placeholders for `principal` and `resource`. When you use [CreatePolicy](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CreatePolicy.html) to create a policy from a template, you specify the exact principal and resource to use for the instantiated policy. *Required*: No *Type*: [TemplateLinkedPolicyDefinition](aws-properties-verifiedpermissions-policy-templatelinkedpolicydefinition.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::VerifiedPermissions::Policy StaticPolicyDefinition A structure that defines a static policy. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Description](#cfn-verifiedpermissions-policy-staticpolicydefinition-description)" : String, "[Statement](#cfn-verifiedpermissions-policy-staticpolicydefinition-statement)" : String } ``` ### YAML ``` [Description](#cfn-verifiedpermissions-policy-staticpolicydefinition-description): String [Statement](#cfn-verifiedpermissions-policy-staticpolicydefinition-statement): String ``` ## Properties `Description` The description of the static policy. *Required*: No *Type*: String *Minimum*: `0` *Maximum*: `150` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Statement` The policy content of the static policy, written in the Cedar policy language. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `10000` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::VerifiedPermissions::Policy TemplateLinkedPolicyDefinition A structure that describes a policy created by instantiating a policy template. **Note** You can't directly update a template-linked policy. You must update the associated policy template instead. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[PolicyTemplateId](#cfn-verifiedpermissions-policy-templatelinkedpolicydefinition-policytemplateid)" : String, "[Principal](#cfn-verifiedpermissions-policy-templatelinkedpolicydefinition-principal)" : EntityIdentifier, "[Resource](#cfn-verifiedpermissions-policy-templatelinkedpolicydefinition-resource)" : EntityIdentifier } ``` ### YAML ``` [PolicyTemplateId](#cfn-verifiedpermissions-policy-templatelinkedpolicydefinition-policytemplateid): String [Principal](#cfn-verifiedpermissions-policy-templatelinkedpolicydefinition-principal): EntityIdentifier [Resource](#cfn-verifiedpermissions-policy-templatelinkedpolicydefinition-resource): EntityIdentifier ``` ## Properties `PolicyTemplateId` The unique identifier of the policy template used to create this policy. *Required*: Yes *Type*: String *Pattern*: `^[a-zA-Z0-9-]*$` *Minimum*: `1` *Maximum*: `200` *Update requires*: Updates are not supported. `Principal` The principal associated with this template-linked policy. Verified Permissions substitutes this principal for the `?principal` placeholder in the policy template when it evaluates an authorization request. *Required*: No *Type*: [EntityIdentifier](aws-properties-verifiedpermissions-policy-entityidentifier.md) *Update requires*: Updates are not supported. `Resource` The resource associated with this template-linked policy. Verified Permissions substitutes this resource for the `?resource` placeholder in the policy template when it evaluates an authorization request. *Required*: No *Type*: [EntityIdentifier](aws-properties-verifiedpermissions-policy-entityidentifier.md) *Update requires*: Updates are not supported. # AWS::VerifiedPermissions::PolicyStore Creates a policy store. A policy store is a container for policy resources. You can create a separate policy store for each of your applications. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::VerifiedPermissions::PolicyStore", "Properties" : { "[DeletionProtection](#cfn-verifiedpermissions-policystore-deletionprotection)" : DeletionProtection, "[Description](#cfn-verifiedpermissions-policystore-description)" : String, "[EncryptionSettings](#cfn-verifiedpermissions-policystore-encryptionsettings)" : EncryptionSettings, "[Schema](#cfn-verifiedpermissions-policystore-schema)" : SchemaDefinition, "[Tags](#cfn-verifiedpermissions-policystore-tags)" : [ Tag, ... ], "[ValidationSettings](#cfn-verifiedpermissions-policystore-validationsettings)" : ValidationSettings } } ``` ### YAML ``` Type: AWS::VerifiedPermissions::PolicyStore Properties: [DeletionProtection](#cfn-verifiedpermissions-policystore-deletionprotection): DeletionProtection [Description](#cfn-verifiedpermissions-policystore-description): String [EncryptionSettings](#cfn-verifiedpermissions-policystore-encryptionsettings): EncryptionSettings [Schema](#cfn-verifiedpermissions-policystore-schema): SchemaDefinition [Tags](#cfn-verifiedpermissions-policystore-tags): - Tag [ValidationSettings](#cfn-verifiedpermissions-policystore-validationsettings): ValidationSettings ``` ## Properties `DeletionProtection` Specifies whether the policy store can be deleted. If enabled, the policy store can't be deleted. The default state is `DISABLED`. *Required*: No *Type*: [DeletionProtection](aws-properties-verifiedpermissions-policystore-deletionprotection.md) *Allowed values*: `ENABLED | DISABLED` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Description` Descriptive text that you can provide to help with identification of the current policy store. *Required*: No *Type*: String *Minimum*: `0` *Maximum*: `150` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `EncryptionSettings` A structure that contains the encryption configuration for the policy store and child resources. This data type is used as a request parameter in the [CreatePolicyStore](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CreatePolicyStore.html) operation. *Required*: No *Type*: [EncryptionSettings](aws-properties-verifiedpermissions-policystore-encryptionsettings.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Schema` Creates or updates the policy schema in a policy store. Cedar can use the schema to validate any Cedar policies and policy templates submitted to the policy store. Any changes to the schema validate only policies and templates submitted after the schema change. Existing policies and templates are not re-evaluated against the changed schema. If you later update a policy, then it is evaluated against the new schema at that time. *Required*: No *Type*: [SchemaDefinition](aws-properties-verifiedpermissions-policystore-schemadefinition.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Tags` The list of key-value pairs to associate with the policy store. *Required*: No *Type*: Array of [Tag](aws-properties-verifiedpermissions-policystore-tag.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ValidationSettings` Specifies the validation setting for this policy store. Currently, the only valid and required value is `Mode`. We recommend that you turn on `STRICT` mode only after you define a schema. If a schema doesn't exist, then `STRICT` mode causes any policy to fail validation, and Verified Permissions rejects the policy. You can turn off validation by using the [UpdatePolicyStore](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_UpdatePolicyStore). Then, when you have a schema defined, use [UpdatePolicyStore](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_UpdatePolicyStore) again to turn validation back on. *Required*: Yes *Type*: [ValidationSettings](aws-properties-verifiedpermissions-policystore-validationsettings.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the unique id of the new or updated policy store. For example: `{ "Ref": "PSEXAMPLEabcdefg111111" }` For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). #### `Arn` The [Amazon Resource Name (ARN)](https://docs.aws.amazon.com//general/latest/gr/aws-arns-and-namespaces.html) of the new or updated policy store. `PolicyStoreId` The unique ID of the new or updated policy store. ## Examples ### Creating a policy store with a schema and verification enabled The following example creates a policy store that is configured with a schema and policy validation against that schema turned on. #### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Description": "AWS CloudFormation sample template for creating a policy store for Verified Permissions.", "Resources": { "MyPolicyStore": { "Type": "AWS::VerifiedPermissions::PolicyStore", "Properties": { "Schema": { "CedarJson": "{\"PhotoApp\":{\"commonTypes\":{\"PersonType\":{\"type\":\"Record\",\"attributes\":{\"age\":{\"type\":\"Long\"},\"name\":{\"type\":\"String\"}}},\"ContextType\":{\"type\":\"Record\",\"attributes\":{\"ip\":{\"type\":\"Extension\",\"name\":\"ipaddr\",\"required\":false},\"authenticated\":{\"type\":\"Boolean\",\"required\":true}}}},\"entityTypes\":{\"User\":{\"shape\":{\"type\":\"Record\",\"attributes\":{\"userId\":{\"type\":\"String\"},\"personInformation\":{\"type\":\"PersonType\"}}},\"memberOfTypes\":[\"UserGroup\"]},\"UserGroup\":{\"shape\":{\"type\":\"Record\",\"attributes\":{}}},\"Photo\":{\"shape\":{\"type\":\"Record\",\"attributes\":{\"account\":{\"type\":\"Entity\",\"name\":\"Account\",\"required\":true},\"private\":{\"type\":\"Boolean\",\"required\":true}}},\"memberOfTypes\":[\"Album\",\"Account\"]},\"Album\":{\"shape\":{\"type\":\"Record\",\"attributes\":{}}},\"Account\":{\"shape\":{\"type\":\"Record\",\"attributes\":{}}}},\"actions\":{\"viewPhoto\":{\"appliesTo\":{\"principalTypes\":[\"User\",\"UserGroup\"],\"resourceTypes\":[\"Photo\"],\"context\":{\"type\":\"ContextType\"}}},\"createPhoto\":{\"appliesTo\":{\"principalTypes\":[\"User\",\"UserGroup\"],\"resourceTypes\":[\"Photo\"],\"context\":{\"type\":\"ContextType\"}}},\"listPhotos\":{\"appliesTo\":{\"principalTypes\":[\"User\",\"UserGroup\"],\"resourceTypes\":[\"Photo\"],\"context\":{\"type\":\"ContextType\"}}}}}}" }, "ValidationSettings": { "Mode": "STRICT" } } } } } ``` #### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Description: >- Description": "AWS CloudFormation sample template for creating a policy store for Verified Permissions." Resources: MyPolicyStore: Type: AWS::VerifiedPermissions::PolicyStore Properties: Schema: CedarJson: '{"PhotoApp":{"commonTypes":{"PersonType":{"type":"Record","attributes":{"age":{"type":"Long"},"name":{"type":"String"}}},"ContextType":{"type":"Record","attributes":{"ip":{"type":"Extension","name":"ipaddr","required":false},"authenticated":{"type":"Boolean","required":true}}}},"entityTypes":{"User":{"shape":{"type":"Record","attributes":{"userId":{"type":"String"},"personInformation":{"type":"PersonType"}}},"memberOfTypes":["UserGroup"]},"UserGroup":{"shape":{"type":"Record","attributes":{}}},"Photo":{"shape":{"type":"Record","attributes":{"account":{"type":"Entity","name":"Account","required":true},"private":{"type":"Boolean","required":true}}},"memberOfTypes":["Album","Account"]},"Album":{"shape":{"type":"Record","attributes":{}}},"Account":{"shape":{"type":"Record","attributes":{}}}},"actions":{"viewPhoto":{"appliesTo":{"principalTypes":["User","UserGroup"],"resourceTypes":["Photo"],"context":{"type":"ContextType"}}},"createPhoto":{"appliesTo":{"principalTypes":["User","UserGroup"],"resourceTypes":["Photo"],"context":{"type":"ContextType"}}},"listPhotos":{"appliesTo":{"principalTypes":["User","UserGroup"],"resourceTypes":["Photo"],"context":{"type":"ContextType"}}}}}}' ValidationSettings: Mode: STRICT ``` # AWS::VerifiedPermissions::PolicyStore DeletionProtection Specifies whether the policy store can be deleted. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Mode](#cfn-verifiedpermissions-policystore-deletionprotection-mode)" : String } ``` ### YAML ``` [Mode](#cfn-verifiedpermissions-policystore-deletionprotection-mode): String ``` ## Properties `Mode` Specifies whether the policy store can be deleted. If enabled, the policy store can't be deleted. The default state is `DISABLED`. *Required*: Yes *Type*: String *Allowed values*: `ENABLED | DISABLED` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::VerifiedPermissions::PolicyStore EncryptionSettings A structure that contains the encryption configuration for the policy store and child resources. This data type is used as a request parameter in the [CreatePolicyStore](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CreatePolicyStore.html) operation. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Default](#cfn-verifiedpermissions-policystore-encryptionsettings-default)" : Json, "[KmsEncryptionSettings](#cfn-verifiedpermissions-policystore-encryptionsettings-kmsencryptionsettings)" : KmsEncryptionSettings } ``` ### YAML ``` [Default](#cfn-verifiedpermissions-policystore-encryptionsettings-default): Json [KmsEncryptionSettings](#cfn-verifiedpermissions-policystore-encryptionsettings-kmsencryptionsettings): KmsEncryptionSettings ``` ## Properties `Default` This is the default encryption setting. The policy store uses an AWS owned key for encrypting data. *Required*: No *Type*: Json *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `KmsEncryptionSettings` The AWS KMS encryption settings for this policy store to encrypt data with. It will contain the customer-managed KMS key, and a user-defined encryption context. *Required*: No *Type*: [KmsEncryptionSettings](aws-properties-verifiedpermissions-policystore-kmsencryptionsettings.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::VerifiedPermissions::PolicyStore EncryptionState A structure that contains the encryption configuration for the policy store and child resources. This data type is used as a response parameter field for the [GetPolicyStore](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_GetPolicyStore.html) operation. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Default](#cfn-verifiedpermissions-policystore-encryptionstate-default)" : Json, "[KmsEncryptionState](#cfn-verifiedpermissions-policystore-encryptionstate-kmsencryptionstate)" : KmsEncryptionState } ``` ### YAML ``` [Default](#cfn-verifiedpermissions-policystore-encryptionstate-default): Json [KmsEncryptionState](#cfn-verifiedpermissions-policystore-encryptionstate-kmsencryptionstate): KmsEncryptionState ``` ## Properties `Default` This is the default encryption state. The policy store is encrypted using an AWS owned key. *Required*: No *Type*: Json *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `KmsEncryptionState` The AWS KMS encryption settings currently configured for this policy store to encrypt data with. It contains the customer-managed KMS key, and a user-defined encryption context. *Required*: No *Type*: [KmsEncryptionState](aws-properties-verifiedpermissions-policystore-kmsencryptionstate.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::VerifiedPermissions::PolicyStore KmsEncryptionSettings A structure that contains the KMS encryption configuration for the policy store. The encryption settings determine what customer-managed KMS key will be used to encrypt all resources within the policy store, and any user-defined context key-value pairs to append during encryption processes. This data type is used as a field that is part of the [EncryptionSettings](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_EncryptionSettings.html) type. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[EncryptionContext](#cfn-verifiedpermissions-policystore-kmsencryptionsettings-encryptioncontext)" : {Key: Value, ...}, "[Key](#cfn-verifiedpermissions-policystore-kmsencryptionsettings-key)" : String } ``` ### YAML ``` [EncryptionContext](#cfn-verifiedpermissions-policystore-kmsencryptionsettings-encryptioncontext): Key: Value [Key](#cfn-verifiedpermissions-policystore-kmsencryptionsettings-key): String ``` ## Properties `EncryptionContext` User-defined, additional context to be added to encryption processes. *Required*: No *Type*: Object of String *Pattern*: `^.+$` *Minimum*: `1` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Key` The customer-managed KMS key [Amazon Resource Name (ARN)](https://docs.aws.amazon.com//general/latest/gr/aws-arns-and-namespaces.html), alias or ID to be used for encryption processes. Users can provide the full KMS key ARN, a KMS key alias, or a KMS key ID, but it will be mapped to the full KMS key ARN after policy store creation, and referenced when encrypting child resources. *Required*: Yes *Type*: String *Pattern*: `^[a-zA-Z0-9:/_-]+$` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::VerifiedPermissions::PolicyStore KmsEncryptionState A structure that contains the AWS KMS encryption configuration for the policy store. The encryption state shows what customer-managed KMS key is being used to encrypt all resources within the policy store, and any user-defined context key-value pairs added during encryption processes. This data type is used as a field that is part of the [EncryptionState](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_EncryptionState.html) type. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[EncryptionContext](#cfn-verifiedpermissions-policystore-kmsencryptionstate-encryptioncontext)" : {Key: Value, ...}, "[Key](#cfn-verifiedpermissions-policystore-kmsencryptionstate-key)" : String } ``` ### YAML ``` [EncryptionContext](#cfn-verifiedpermissions-policystore-kmsencryptionstate-encryptioncontext): Key: Value [Key](#cfn-verifiedpermissions-policystore-kmsencryptionstate-key): String ``` ## Properties `EncryptionContext` User-defined, additional context added to encryption processes. *Required*: Yes *Type*: Object of String *Pattern*: `^.+$` *Minimum*: `1` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Key` The customer-managed KMS key [Amazon Resource Name (ARN)](https://docs.aws.amazon.com//general/latest/gr/aws-arns-and-namespaces.html) being used for encryption processes. *Required*: Yes *Type*: String *Pattern*: `^[a-zA-Z0-9:/_-]+$` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::VerifiedPermissions::PolicyStore SchemaDefinition Contains a list of principal types, resource types, and actions that can be specified in policies stored in the same policy store. If the validation mode for the policy store is set to `STRICT`, then policies that can't be validated by this schema are rejected by Verified Permissions and can't be stored in the policy store. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[CedarJson](#cfn-verifiedpermissions-policystore-schemadefinition-cedarjson)" : String } ``` ### YAML ``` [CedarJson](#cfn-verifiedpermissions-policystore-schemadefinition-cedarjson): String ``` ## Properties `CedarJson` A JSON string representation of the schema supported by applications that use this policy store. For more information, see [Policy store schema](https://docs.aws.amazon.com/verifiedpermissions/latest/userguide/schema.html) in the AVP User Guide. *Required*: No *Type*: String *Minimum*: `1` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::VerifiedPermissions::PolicyStore Tag A key-value pair associated with an AWS resource. In Verified Permissions, policy stores support tagging. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Key](#cfn-verifiedpermissions-policystore-tag-key)" : String, "[Value](#cfn-verifiedpermissions-policystore-tag-value)" : String } ``` ### YAML ``` [Key](#cfn-verifiedpermissions-policystore-tag-key): String [Value](#cfn-verifiedpermissions-policystore-tag-value): String ``` ## Properties `Key` A string you can use to assign a value. The combination of tag keys and values can help you organize and categorize your resources. *Required*: Yes *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Value` The value for the specified tag key. *Required*: Yes *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::VerifiedPermissions::PolicyStore ValidationSettings A structure that contains Cedar policy validation settings for the policy store. The validation mode determines which validation failures that Cedar considers serious enough to block acceptance of a new or edited static policy or policy template. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Mode](#cfn-verifiedpermissions-policystore-validationsettings-mode)" : String } ``` ### YAML ``` [Mode](#cfn-verifiedpermissions-policystore-validationsettings-mode): String ``` ## Properties `Mode` The validation mode currently configured for this policy store. The valid values are: + **OFF** – Neither Verified Permissions nor Cedar perform any validation on policies. No validation errors are reported by either service. + **STRICT** – Requires a schema to be present in the policy store. Cedar performs validation on all submitted new or updated static policies and policy templates. Any that fail validation are rejected and Cedar doesn't store them in the policy store. If `Mode=STRICT` and the policy store doesn't contain a schema, Verified Permissions rejects all static policies and policy templates because there is no schema to validate against. To submit a static policy or policy template without a schema, you must turn off validation. *Required*: Yes *Type*: String *Allowed values*: `OFF | STRICT` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::VerifiedPermissions::PolicyTemplate Creates a policy template. A template can use placeholders for the principal and resource. A template must be instantiated into a policy by associating it with specific principals and resources to use for the placeholders. That instantiated policy can then be considered in authorization decisions. The instantiated policy works identically to any other policy, except that it is dynamically linked to the template. If the template changes, then any policies that are linked to that template are immediately updated as well. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::VerifiedPermissions::PolicyTemplate", "Properties" : { "[Description](#cfn-verifiedpermissions-policytemplate-description)" : String, "[PolicyStoreId](#cfn-verifiedpermissions-policytemplate-policystoreid)" : String, "[Statement](#cfn-verifiedpermissions-policytemplate-statement)" : String } } ``` ### YAML ``` Type: AWS::VerifiedPermissions::PolicyTemplate Properties: [Description](#cfn-verifiedpermissions-policytemplate-description): String [PolicyStoreId](#cfn-verifiedpermissions-policytemplate-policystoreid): String [Statement](#cfn-verifiedpermissions-policytemplate-statement): String ``` ## Properties `Description` The description to attach to the new or updated policy template. *Required*: No *Type*: String *Minimum*: `0` *Maximum*: `150` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `PolicyStoreId` The unique identifier of the policy store that contains the template. *Required*: Yes *Type*: String *Pattern*: `^[a-zA-Z0-9-]*$` *Minimum*: `1` *Maximum*: `200` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `Statement` Specifies the content that you want to use for the new policy template, written in the Cedar policy language. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `10000` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the unique id of the policy store followed by '\$1' and the unique id of the new or updated policy template. For example: `{ "Ref": "POLICYSTOREabcde111111|POLICYTEMPLATEab111111" }` For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). #### `PolicyTemplateId` The unique identifier of the new or modified policy template. ## Examples ### Creating a policy template The following example creates a policy template with the specified statement. #### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Description": "AWS CloudFormation sample template for creating a policy template for Verified Permissions.", "Parameters": { "PolicyStoreId": { "Type": "String" }, "Description": { "Type": "String" }, "Statement": { "Type": "String" } }, "Resources": { "PolicyTemplate": { "Type": "AWS::VerifiedPermissions::PolicyTemplate", "Properties": { "PolicyStoreId": { "Ref": "PolicyStoreId" }, "Description": { "Ref": "Description" }, "Statement": { "Ref": "Statement" } } } }, "Outputs": { "PolicyTemplateId": { "Value": { "Fn::GetAtt": [ "PolicyTemplate", "PolicyTemplateId" ] } } } } ``` #### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Description: >- Description": "AWS CloudFormation sample template for creating a policy template for Verified Permissions." Parameters: PolicyStoreId: Type: String Description: Type: String Statement: Type: String Resources: PolicyTemplate: Type: AWS::VerifiedPermissions::PolicyTemplate Properties: PolicyStoreId: !Ref PolicyStoreId Description: !Ref Description Statement: !Ref Statement Outputs: PolicyTemplateId: Value: !GetAtt PolicyTemplate.PolicyTemplateId ```