OPA vs Cedar (Amazon Verified Permissions)
Charlie Egan
Rego, the policy language used by Open Policy Agent (OPA) and Cedar, a policy language developed by AWS, are two different policy as code languages capable of building externalized authorization. However, the languages are best compared in the context in which they are typically used. Policy code needs to be authored, packaged, distributed, evaluated, enforced and audited too β functions which cannot be provided by a language in isolation.
OPA is a general-purpose policy engine. It supports a range of policy as code use cases, including authorization, with the Rego language. OPA is an open source project created and maintained by Styra and is hosted by the Cloud Native Computing Foundation.Β
Enterprise OPA Platform builds on the capabilities of OPA, offering a comprehensive authorization platform. The platform provides compliance, governance, no-code policy, and lifecycle management capabilities to scale policy as code authorization in complex, enterprise domains.
Cedar is an open source policy language for authorization policy. While it can describe authorization policies, being only a language, it is not a standalone solution. For policy to be enforced, Cedar code needs to be evaluated within a policy engine or product.
Amazon Verified Permissions is a managed service offered by AWS that leverages the Cedar language to enforce authorization policy. This service simplifies policy evaluation and enforcement within the AWS ecosystem where users call AWS endpoints rather than running a policy engine themselves.
Key Differences:
- Availability: Amazon Verified Permissions is exclusive to AWS customers. In contrast, OPA and the Enterprise OPA Platform can be deployed on any public or private cloud, offering greater flexibility.
- Use Cases: OPA is a general-purpose policy engine suitable for various use cases, while Cedar is only suitable for authorization policy. The Enterprise OPA Platform provides an extended set of tools and features built around OPA for enterprise needs.
See also OPA vs Cedar (Cedar Agent and OPAL)
| Enterprise OPA Platform | Open Source OPA | Cedar (with Amazon Verified Permissions) |
|
|---|---|---|---|
Use Cases |
|||
| Application Authorization | |||
| Run as a sidecar | β | β | β |
| Run as a centralized service | β | β | β |
| Run as a daemon on the same host | β | β | β |
| Custom Integration via REST | β | β | β |
| Custom Embedded Integration | β | β | β |
| Istio / Envoy Proxy | β | β | β |
| Kong Gateway & Mesh | β | β | β |
| Gloo Gateway | β | β | β |
| Emissary | β | β | β |
| AWS API Gateway | β | β | β |
| Arbitrary JSON in/out | β | β | β |
| Other Authorization | |||
| Kubernetes Admission | β | π‘Via OPA Gatekeeper or kube-mgmt | β |
| Terraform | β | π‘ Via conftest | β |
| Kafka Topics | β | β | β |
| Cloud Formation | β | β | β |
| Docker | β | β | β |
| SSH | β | β | β |
| Arbitrary JSON in/out | β | β | β |
| Runtime Data Sources | |||
| SQL | β | β | β |
| HTTP | β | β | β |
| MongoDB | β | β | β |
| Neo4j | β | β | β |
| Kafka | β | β | β |
| S3 | β | β | β |
| Git | β | β | β |
| Identity Data Sources | |||
| Okta | β | β | β |
| LDAP | β | β | β |
| AWS Cognito | β | β | β |
| Language SDK Availability | |||
| Java | β | Community REST Client | Via AWS SDK |
| C# | β | Community REST Client | Via AWS SDK |
| Typescript | β | Community REST Client | Via AWS SDK |
| Python | Community REST Client | Community REST Client | Via AWS SDK |
| Go | β | β | Via AWS SDK |
| Node.js | β | Community REST Client | Via AWS SDK |
| PHP | Community REST Client | Community REST Client | Via AWS SDK |
| Web Assembly | π‘ Agent Support Only | β | β |
Policy Lifecycle |
|||
| βPolicy as Codeβ | |||
| Versioned Policy Distribution | β via management APIs | β via management APIs | β via AWS CLI |
| Git / GitOps Updates | β | β | β |
| Policy Testing | |||
| Policy Testing (CLI) | β | β | β |
| Policy Testing (UI) | β | β | β |
| Historic Impact Analysis | β | β | β |
| Live Impact Analysis | β | β | β |
| Policy Authoring | |||
| Editor Extensions | β | β | β |
| CLI REPL | β | β | β |
| Web IDE | β | β | β |
| Learning Resources | |||
| Online Playground | β | β | β |
| Linter | β | β | β |
| Free Online Courses | β | β | β Not Available |
Audit Functionality |
|||
| Logging of Policy Version | β | β | β |
| Log Sinks | |||
| Console (stdout) Log Sink | β | β | β via AWS CLI |
| HTTP Log Sink | β | β | β |
| Splunk Log Sink | β | β | β |
| Kafka Log Sink | β | β | β |
| S3 Log Sink | β | β | β |
| Cloudwatch Log Sink | β | β | β |
Language Functionality |
|||
| General Functionality | |||
| Logic Operations | β | β | β |
| Built-in Type Comparisons | β | β | β |
| Arithmetic Operations | β | β | π‘ +, -, * only |
| Regex | β | β | β |
| String Operations | β | β | π‘ LIKE with Wildcard Only |
| HTTP Request Support | β | β | β |
| base64 Enc/Dec | β | β | β |
| Authz-specific Functionality | |||
| CIDR Range Testing | β | β | π‘ In Range Testing only |
| IP Address Validation | π‘ User Defined | π‘ User Defined | β |
| JWT Parsing and Verification | β | β | β |
| X509 Certificate & Key Pair Parsing and Verification | β | β | β |
| UUID Functionality | β | β | β |
