AWS API Changes

2025/04/11 - Amazon Verified Permissions - 3 updated api methods

Changes Adds deletion protection support to policy stores. Deletion protection is disabled by default, can be enabled via the CreatePolicyStore or UpdatePolicyStore APIs, and is visible in GetPolicyStore.

CreatePolicyStore (updated)

Link ¶
Changes (request)

{'deletionProtection': 'ENABLED | DISABLED'}

Creates a policy store. A policy store is a container for policy resources.

See also: AWS API Documentation

Request Syntax

client.create_policy_store(
    clientToken='string',
    validationSettings={
        'mode': 'OFF'|'STRICT'
    },
    description='string',
    deletionProtection='ENABLED'|'DISABLED'
)

type clientToken:

string

param clientToken:

Specifies a unique, case-sensitive ID that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value..

If you don't provide this value, then Amazon Web Services generates a random one for you.

If you retry the operation with the same ClientToken, but with different parameters, the retry fails with an ConflictException error.

Verified Permissions recognizes a ClientToken for eight hours. After eight hours, the next request with the same parameters performs the operation again regardless of the value of ClientToken.

This field is autopopulated if not provided.

type validationSettings:

dict

param validationSettings:

[REQUIRED]

Specifies the validation setting for this policy store.

Currently, the only valid and required value is Mode.

mode (string) -- [REQUIRED]

The validation mode currently configured for this policy store. The valid values are:
- OFF – Neither Verified Permissions nor Cedar perform any validation on policies. No validation errors are reported by either service.
- STRICT – Requires a schema to be present in the policy store. Cedar performs validation on all submitted new or updated static policies and policy templates. Any that fail validation are rejected and Cedar doesn't store them in the policy store.
Warning

If Mode=STRICT and the policy store doesn't contain a schema, Verified Permissions rejects all static policies and policy templates because there is no schema to validate against.

To submit a static policy or policy template without a schema, you must turn off validation.

type description:

string

param description:

Descriptive text that you can provide to help with identification of the current policy store.

type deletionProtection:

string

param deletionProtection:

Specifies whether the policy store can be deleted. If enabled, the policy store can't be deleted.

The default state is DISABLED.

rtype:

dict

returns:

Response Syntax

{
    'policyStoreId': 'string',
    'arn': 'string',
    'createdDate': datetime(2015, 1, 1),
    'lastUpdatedDate': datetime(2015, 1, 1)
}

Response Structure

(dict) --
- policyStoreId (string) --
  
  The unique ID of the new policy store.
- arn (string) --
  
  The Amazon Resource Name (ARN) of the new policy store.
- createdDate (datetime) --
  
  The date and time the policy store was originally created.
- lastUpdatedDate (datetime) --
  
  The date and time the policy store was last updated.

GetPolicyStore (updated)

Link ¶
Changes (response)

{'deletionProtection': 'ENABLED | DISABLED'}

Retrieves details about a policy store.

See also: AWS API Documentation

Request Syntax

client.get_policy_store(
    policyStoreId='string'
)

type policyStoreId:

string

param policyStoreId:

[REQUIRED]

Specifies the ID of the policy store that you want information about.

rtype:

dict

returns:

Response Syntax

{
    'policyStoreId': 'string',
    'arn': 'string',
    'validationSettings': {
        'mode': 'OFF'|'STRICT'
    },
    'createdDate': datetime(2015, 1, 1),
    'lastUpdatedDate': datetime(2015, 1, 1),
    'description': 'string',
    'deletionProtection': 'ENABLED'|'DISABLED'
}

Response Structure

(dict) --
- policyStoreId (string) --
  
  The ID of the policy store;
- arn (string) --
  
  The Amazon Resource Name (ARN) of the policy store.
- validationSettings (dict) --
  
  The current validation settings for the policy store.
  - mode (string) --
    
    The validation mode currently configured for this policy store. The valid values are:
    - OFF – Neither Verified Permissions nor Cedar perform any validation on policies. No validation errors are reported by either service.
    - STRICT – Requires a schema to be present in the policy store. Cedar performs validation on all submitted new or updated static policies and policy templates. Any that fail validation are rejected and Cedar doesn't store them in the policy store.
    Warning
    
    If Mode=STRICT and the policy store doesn't contain a schema, Verified Permissions rejects all static policies and policy templates because there is no schema to validate against.
    
    To submit a static policy or policy template without a schema, you must turn off validation.
- createdDate (datetime) --
  
  The date and time that the policy store was originally created.
- lastUpdatedDate (datetime) --
  
  The date and time that the policy store was last updated.
- description (string) --
  
  Descriptive text that you can provide to help with identification of the current policy store.
- deletionProtection (string) --
  
  Specifies whether the policy store can be deleted. If enabled, the policy store can't be deleted.
  
  The default state is DISABLED.

UpdatePolicyStore (updated)

Link ¶
Changes (request)

{'deletionProtection': 'ENABLED | DISABLED'}

Modifies the validation setting for a policy store.

See also: AWS API Documentation

Request Syntax

client.update_policy_store(
    policyStoreId='string',
    validationSettings={
        'mode': 'OFF'|'STRICT'
    },
    deletionProtection='ENABLED'|'DISABLED',
    description='string'
)

type policyStoreId:

string

param policyStoreId:

[REQUIRED]

Specifies the ID of the policy store that you want to update

type validationSettings:

dict

param validationSettings:

[REQUIRED]

A structure that defines the validation settings that want to enable for the policy store.

mode (string) -- [REQUIRED]

The validation mode currently configured for this policy store. The valid values are:
- OFF – Neither Verified Permissions nor Cedar perform any validation on policies. No validation errors are reported by either service.
- STRICT – Requires a schema to be present in the policy store. Cedar performs validation on all submitted new or updated static policies and policy templates. Any that fail validation are rejected and Cedar doesn't store them in the policy store.
Warning

If Mode=STRICT and the policy store doesn't contain a schema, Verified Permissions rejects all static policies and policy templates because there is no schema to validate against.

To submit a static policy or policy template without a schema, you must turn off validation.

type deletionProtection:

string

param deletionProtection:

Specifies whether the policy store can be deleted. If enabled, the policy store can't be deleted.

When you call UpdatePolicyStore, this parameter is unchanged unless explicitly included in the call.

type description:

string

param description:

Descriptive text that you can provide to help with identification of the current policy store.

rtype:

dict

returns:

Response Syntax

{
    'policyStoreId': 'string',
    'arn': 'string',
    'createdDate': datetime(2015, 1, 1),
    'lastUpdatedDate': datetime(2015, 1, 1)
}

Response Structure

(dict) --
- policyStoreId (string) --
  
  The ID of the updated policy store.
- arn (string) --
  
  The Amazon Resource Name (ARN) of the updated policy store.
- createdDate (datetime) --
  
  The date and time that the policy store was originally created.
- lastUpdatedDate (datetime) --
  
  The date and time that the policy store was most recently updated.