Context & History

Convera processes billions of dollars in cross‑border payments each year. As its product portfolio expanded, the company faced a growing need to protect sensitive financial data while keeping latency low for global users. Early attempts to build a custom access‑control engine revealed high engineering cost and maintenance risk. To address these challenges, Convera adopted Amazon Verified Permissions, a managed service that supports role‑based and attribute‑based decisions with policy‑as‑code support.

Implementation & Best Practices

The migration follows a clear sequence define a data schema, author Cedar policies, integrate the authorizer into API Gateway, add a two‑level cache, and finally set up monitoring and audit trails. Each phase is isolated in a separate repository to enable independent versioning and automated testing.

Schema Design

Start by modeling principal, resource, and action types. For Convera this meant entities such as Customer, PaymentInitiator, Transaction, and actions like View or Modify. Attributes (e.g., accountType, status) are stored in DynamoDB and referenced during evaluation.

Policy Authoring with Cedar

Cedar provides a readable syntax for fine‑grained rules. An example that restricts payment modification to business accounts is

permit(principal, action in ["ModifyPayment"], resource) when {
  principal.role == "PAYMENT_INITIATOR" &&
  resource.accountType == "BUSINESS" &&
  resource.status == "ACTIVE"
}

Policies are versioned in a Git repository and validated against the schema before deployment.

Integration Flow

API Gateway routes requests to a Lambda authorizer. The authorizer extracts the caller's JWT, enriches it with DynamoDB attributes via a pre‑token hook, and forwards the request to Verified Permissions. The service returns ALLOW or DENY, which the authorizer translates into HTTP 200 or 403 responses.

Caching Strategy

To meet sub‑millisecond latency, Convera uses a two‑level cache. API Gateway's built‑in cache stores recent decision results, while the application layer caches Cognito tokens. This approach mirrors techniques described in our rate‑limiting guide and reduces repeated policy evaluations.

Auditing & Governance

All policy changes are captured through DynamoDB Streams and synced back to Verified Permissions. The InfoSec team controls updates via a dedicated IAM role, ensuring that every modification is logged in CloudTrail for compliance reporting.

Extending to Service‑to‑Service Calls

Internal microservices authenticate with Cognito client credentials, receive tokens enriched with service attributes, and are authorized using the same policy store. This uniform model simplifies tenant isolation for SaaS offerings, allowing each tenant to have a distinct policy namespace without duplicating infrastructure.

Key Takeaway By centralizing policy management in Amazon Verified Permissions and layering caches, Convera achieved secure, low‑latency authorization that scales across user‑facing and machine‑to‑machine APIs.

For a deeper look at building secure edge services, see our article on service‑worker powered web apps with HTTPS.