OPA vs Cedar (AWS Verified Permissions)
Charlie Egan
Enterprise OPA Platform | Open Source OPA | Cedar (as part of AWS Verified Permissions) |
|
---|---|---|---|
Use Cases | |||
Application Authorization | |||
Run as a sidecar | ✅ | ✅ | ❌ |
Run as a centralized service | ✅ | ✅ | ✅ |
Run as a daemon on the same host | ✅ | ✅ | ❌ |
Custom Integration via REST | ✅ | ✅ | ✅ |
Custom Embedded Integration | ✅ | ✅ | ❌ |
Istio / Envoy Proxy | ✅ | ✅ | ❌ |
Kong Gateway & Mesh | ✅ | ✅ | ❌ |
Gloo Gateway | ✅ | ✅ | ❌ |
Emissary | ✅ | ✅ | ❌ |
AWS API Gateway | ✅ | ✅ | ✅ |
Arbitrary JSON in/out | ✅ | ✅ | ❌ |
Other Authorization | |||
Kubernetes Admission | ✅ | 🟡Via OPA Gatekeeper or kube-mgmt | ❌ |
Terraform | ✅ | 🟡 Via conftest | ❌ |
Kafka Topics | ✅ | ✅ | ❌ |
Cloud Formation | ✅ | ✅ | ❌ |
Docker | ✅ | ✅ | ❌ |
SSH | ✅ | ✅ | ❌ |
Arbitrary JSON in/out | ✅ | ✅ | ❌ |
Runtime Data Sources | |||
SQL | ✅ | ❌ | ❌ |
HTTP | ✅ | ✅ | ❌ |
MongoDB | ✅ | ❌ | ❌ |
Neo4j | ✅ | ❌ | ❌ |
Kakfa | ✅ | ❌ | ❌ |
S3 | ✅ | ❌ | ❌ |
Git | ✅ | ❌ | ❌ |
Identity Data Sources | |||
Okta | ✅ | ❌ | ❌ |
LDAP | ✅ | ❌ | ❌ |
AWS Cognito | ❌ | ❌ | ✅ |
Language SDK Availability | |||
Java | Community REST Client | Community REST Client | Via AWS SDK |
Python | Community REST Client | Community REST Client | Via AWS SDK |
Go | ✅ | ✅ | Via AWS SDK |
Node.js | Community REST Client | Community REST Client | Via AWS SDK |
.NET | Community REST Client | Community REST Client | Via AWS SDK |
PHP | Community REST Client | Community REST Client | Via AWS SDK |
Web Assembly | 🟡 Agent Support Only | ✅ | ❌ |
Policy Lifecycle | |||
‘Policy as Code’ | |||
Versioned Policy Distribution | ✅ via management APIs | ✅ via management APIs | ✅ via AWS CLI |
Git / GitOps Updates | ✅ | ❌ | ❌ |
Policy Testing | |||
Policy Testing (CLI) | ✅ | ✅ | ❌ |
Policy Testing (UI) | ✅ | ❌ | ✅ |
Historic Impact Analysis | ✅ | ❌ | ❌ |
Live Impact Analysis | ✅ | ❌ | ❌ |
Policy Authoring | |||
Editor Extensions | ✅ | ✅ | ✅ |
CLI REPL | ✅ | ✅ | ❌ |
Web IDE | ✅ | ❌ | ✅ |
Learning Resources | |||
Online Playground | ✅ | ✅ | ✅ |
Linter | ✅ | ✅ | ❌ |
Free Online Courses | ✅ | ✅ | ❌ Not Available |
Audit Functionality | |||
Logging of Policy Version | ✅ | ✅ | ❌ |
Log Sinks | |||
Console (stdout) Log Sink | ✅ | ✅ | ✅ via AWS CLI |
HTTP Log Sink | ✅ | ✅ | ❌ |
Splunk Log Sink | ✅ | ❌ | ❌ |
Kafka Log Sink | ✅ | ❌ | ❌ |
S3 Log Sink | ✅ | ❌ | ❌ |
Cloudwatch Log Sink | ❌ | ❌ | ✅ |
Language Functionality | |||
General Functionality | |||
Logic Operations | ✅ | ✅ | ✅ |
Built-in Type Comparisons | ✅ | ✅ | ✅ |
Arithmetic Operations | ✅ | ✅ | 🟡 +, -, * only |
Regex | ✅ | ✅ | ❌ |
String Operations | ✅ | ✅ | 🟡 LIKE with Wildcard Only |
HTTP Request Support | ✅ | ✅ | ❌ |
base64 Enc/Dec | ✅ | ✅ | ❌ |
Authz-specific Functionality | |||
CIDR Range Testing | ✅ | ✅ | 🟡 In Range Testing only |
IP Address Validation | 🟡 User Defined | 🟡 User Defined | ✅ |
JWT Parsing and Verification | ✅ | ✅ | ❌ |
X509 Certificate & Key Pair Parsing and Verification | ✅ | ✅ | ❌ |
UUID Functionality | ✅ | ✅ | ❌ |