OPA vs Cedar (AWS Verified Permissions)

Charlie Egan

	Enterprise OPA Platform	Open Source OPA	Cedar (as part of AWS Verified Permissions)
Use Cases
Application Authorization
Run as a sidecar	✅	✅	❌
Run as a centralized service	✅	✅	✅
Run as a daemon on the same host	✅	✅	❌
Custom Integration via REST	✅	✅	✅
Custom Embedded Integration	✅	✅	❌
Istio / Envoy Proxy	✅	✅	❌
Kong Gateway & Mesh	✅	✅	❌
Gloo Gateway	✅	✅	❌
Emissary	✅	✅	❌
AWS API Gateway	✅	✅	✅
Arbitrary JSON in/out	✅	✅	❌

Other Authorization
Kubernetes Admission	✅	🟡Via OPA Gatekeeper or kube-mgmt	❌
Terraform	✅	🟡 Via conftest	❌
Kafka Topics	✅	✅	❌
Cloud Formation	✅	✅	❌
Docker	✅	✅	❌
SSH	✅	✅	❌
Arbitrary JSON in/out	✅	✅	❌

Runtime Data Sources
SQL	✅	❌	❌
HTTP	✅	✅	❌
MongoDB	✅	❌	❌
Neo4j	✅	❌	❌
Kakfa	✅	❌	❌
S3	✅	❌	❌
Git	✅	❌	❌

Identity Data Sources
Okta	✅	❌	❌
LDAP	✅	❌	❌
AWS Cognito	❌	❌	✅

Language SDK Availability
Java	Community REST Client	Community REST Client	Via AWS SDK
Python	Community REST Client	Community REST Client	Via AWS SDK
Go	✅	✅	Via AWS SDK
Node.js	Community REST Client	Community REST Client	Via AWS SDK
.NET	Community REST Client	Community REST Client	Via AWS SDK
PHP	Community REST Client	Community REST Client	Via AWS SDK
Web Assembly	🟡 Agent Support Only	✅	❌

Policy Lifecycle
‘Policy as Code’
Versioned Policy Distribution	✅ via management APIs	✅ via management APIs	✅ via AWS CLI
Git / GitOps Updates	✅	❌	❌

Policy Testing
Policy Testing (CLI)	✅	✅	❌
Policy Testing (UI)	✅	❌	✅
Historic Impact Analysis	✅	❌	❌
Live Impact Analysis	✅	❌	❌

Policy Authoring
Editor Extensions	✅	✅	✅
CLI REPL	✅	✅	❌
Web IDE	✅	❌	✅

Learning Resources
Online Playground	✅	✅	✅
Linter	✅	✅	❌
Free Online Courses	✅	✅	❌ Not Available

Audit Functionality
Logging of Policy Version	✅	✅	❌

Log Sinks
Console (stdout) Log Sink	✅	✅	✅ via AWS CLI
HTTP Log Sink	✅	✅	❌
Splunk Log Sink	✅	❌	❌
Kafka Log Sink	✅	❌	❌
S3 Log Sink	✅	❌	❌
Cloudwatch Log Sink	❌	❌	✅

Language Functionality
General Functionality
Logic Operations	✅	✅	✅
Built-in Type Comparisons	✅	✅	✅
Arithmetic Operations	✅	✅	🟡 +, -, * only
Regex	✅	✅	❌
String Operations	✅	✅	🟡 LIKE with Wildcard Only
HTTP Request Support	✅	✅	❌
base64 Enc/Dec	✅	✅	❌

Authz-specific Functionality
CIDR Range Testing	✅	✅	🟡 In Range Testing only
IP Address Validation	🟡 User Defined	🟡 User Defined	✅
JWT Parsing and Verification	✅	✅	❌
X509 Certificate & Key Pair Parsing and Verification	✅	✅	❌
UUID Functionality	✅	✅	❌

Charlie Egan

Get Enterprise Authorization

The Enterprise OPA Platform is used by the largest organizations in the world to manage complex access control at scale while meeting security and compliance requirements.

Request a Demo

Report

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

OPA vs Cedar (AWS Verified Permissions)

Use Cases

Policy Lifecycle

Audit Functionality

Language Functionality

Get Enterprise Authorization

Have a question?

2023 State of Policy as Code Report

See Styra DAS and OPA in Action with Capital One

Styra Microservices Datasheet

Cloud native Authorization

Access Control for Generative AI

Speak with an Engineer