The Open Policy Agent (OPA) is a policy engine that brings the speed, reliability and flexibility of decoupled policy as code to a wide range of authorization use cases across the cloud-native ecosystem. OPA is a Cloud Native Computing Foundation (CNCF) graduated project and has become an industry-wide standard for authorization, with several leading enterprises implementing it in their business-critical cloud systems.

The evolution of application design and cloud-native technologies means that developers can no longer rely on traditional authentication and authorization methods to be effective. While new standards for authentication already exist and are easily implemented, authorization remains a challenge, especially in a fast-paced, dynamic cloud environment. One method of solving this issue is to externalize authorization, allowing policy management to be decoupled from the application itself.

A data and security breach often leads to fines and the loss of customer trust for organizations. An IBM report estimates that a data breach on average costs $4.35 million in 2022, a 2.6% increase from the previous year. The increased concern with data and security breaches — along with the need to address more complicated use cases — reinforces the call for more granular methods of access control.

A common use case for Open Policy Agent (OPA) is to decouple authorization from the application. This enables policies and decisions to be managed centrally and lifecycled independently to the application. For application use cases, OPA can be integrated at the API Gateway, Service Mesh or Microservices layer or any combination of these.

DevOps and platform teams are more strained than ever, and as a result, need better tools than ever. These teams are required to develop, provide access to, and secure a number of resources — while remaining good stewards to application developers. Beyond that, they are often tasked with overseeing their organization’s shift to the cloud. And as that shift takes place, DevOps teams will need to shift their compliance standards to the cloud.

The many benefits of microservices architecture, such as improved scalability and agility, explain why organizations are migrating from the traditional monolithic architecture. However, these benefits come at the cost of increased complexity, especially regarding security. According to an O’Reilly survey, 56% of respondents considered increased complexity the greatest challenge in developing microservices.

As organizations rapidly transform the way they build and deploy applications in pursuit of greater business agility and increased speed to market, they face significant challenges implementing effective authorization controls throughout microservices environments and the infrastructure they run on. For Identity and Access Management (IAM) teams, stitching together different data sources and transforming them for authorization purposes is complex and time-consuming.

TL;DR: AWS Object Lamba can authorize requests to S3. We can create an Object Lambda that calls Open Policy Agent (OPA) to get a policy decision. This delegation allows us to implement policies using Rego and manage them in Styra Declarative Authorization Service (DAS).