
Cedar is an open-source authorization policy language designed with intuitive syntax, fast evaluation (sub-1ms latency), and provably safe semantics using default-deny, forbid-override-permit rules to control application resource access independently from code logic.


<div><p>This article explains how Cedar, an open-source authorization policy language, was designed with three core principles: usability, speed, and safety.</p><ul><li>Cedar uses default-deny semantics with forbid policies overriding permits</li><li>Authorization decisions are order-independent and provably correct</li><li>Policies are written using application-specific vocabulary for intuitive readability</li><li>Entity hierarchy and attributes support both RBAC and ABAC models</li><li>Structured syntax with scopes and conditions enables scalable policy evaluation</li><li>No loops or stateful operations ensure fast evaluation and bounded latency</li><li>Typical authorization latencies are less than 1 millisecond</li><li>Used by AWS in Verified Permissions and Verified Access services</li></ul><p>Cedar decouples access control from application logic, enabling reusable, auditable authorization policies with proven correctness and high performance.</p></div>


Related articles