Cedar, an open-source authorisation policy language and SDK, has officially joined the Cloud Native Computing Foundation (CNCF) as a Sandbox project.
Originally architected by Amazon Web Services (AWS), the project aims to provide a vendor-neutral standard for defining and enforcing fine-grained permissions in modern applications.
Managing access control in cloud-native environments has traditionally relied on hard-coded logic or general-purpose policy engines. Cedar solves this by allowing developers to express permissions as policies, effectively decoupling access control from application logic. This separation enables teams to update permissions without redeploying code, a pattern often referred to as policy-as-code.
The language supports common authorisation models, including Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC), and Relationship-Based Access Control (ReBAC). A distinguishing feature of Cedar is its focus on assurance and safety through formal verification. The language specification is formally verified using the Lean theorem prover, and its Rust implementation undergoes differential random testing against this formal specification. This mathematical rigour ensures that the policy engine behaves exactly as intended, a critical requirement for security-sensitive operations.
Beyond the core language, the project’s reliance on automated reasoning enables advanced tooling capabilities. Developers can use the policy validator to check for errors before deployment, ensuring that policies are consistent with the defined schema. This capability allows for the mathematical analysis of policies to answer questions such as whether a specific request would be allowed or denied, providing a higher level of confidence than traditional testing methods alone.
In the announcement, Lucas Käldström, Emeritus at Kubernetes SIG and WG co-chair and CNCF Ambassador, noted the balance inherent in the language’s design, stating: “What I appreciate the most about Cedar is the deep knowledge that is encoded into why it works the way it works… the careful balance between expressiveness and analyzability.”
The move to the CNCF places Cedar in the same ecosystem as the Open Policy Agent (OPA), a graduated CNCF project. While OPA and its language, Rego, are general-purpose tools capable of handling infrastructure, admission control, and application policies, Cedar is purpose-built specifically for application-level authorisation. Its design prioritises high-performance evaluation for applications with millions of users and resources. Additionally, Cedar’s native support for ReBAC aligns it with the Google Zanzibar model, offering an alternative to other Zanzibar-inspired open source projects like OpenFGA.
Since its initial open-source release, the language has seen adoption across various industries. Organisations such as Cloudflare, MongoDB, StrongDM, and Cloudinary have integrated the technology into their stacks. It also underpins AWS services like Amazon Verified Permissions and AWS Systems Manager. The project has begun integrating with other open source initiatives, including the Linux Foundation’s Janssen Project and the Kubernetes-Cedar-Authorizer.
By joining the CNCF, the project transitions to a vendor-neutral governance model. This shift is intended to foster a broader contributor base and facilitate deeper integration with the cloud native landscape. The roadmap for the project includes progressing from Sandbox to Incubation and eventually Graduated status, following the standard CNCF maturity lifecycle.
