Subscribe to the Non-Human & AI Identity Journal

Forums
The Non-Human & AI ...
NHI, AI & IAM Best ...
Serverless authoriz...
 
Notifications
Clear all

Serverless authorization with Cerbos: where IAM boundaries still matter

 
    Last Post
  RSS

 NHI Mgmt Group
(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 5324
Topic starter 12/06/2026 12:25 am  

TL;DR: Separating authorization logic from application code can make access control easier to test and audit in serverless stacks, as Cerbos’ Lambda pattern shows with API Gateway, S3-hosted policies, and stateless policy decisions according to Cerbos. The governance challenge remains unchanged: moving policy out of code does not remove the need to secure the identities, endpoints, and policy stores that govern access.

NHIMG editorial — based on content published by Cerbos: running Cerbos as a Lambda function with API Gateway and S3-hosted policies

Questions worth separating out

Q: How should security teams govern serverless authorization services?

A: Treat the authorization service as a privileged control plane, not a utility.

Q: Why do S3-hosted policies create an NHI governance problem?

A: Because the write access that changes effective permissions often belongs to non-human identities, not people.

Q: What breaks when authorization logic is scattered across multiple services?

A: Testing, auditing, and change control break first.

Practitioner guidance

  • Separate policy administration from runtime invocation Give the identity that writes policy files different permissions from the identity that runs the Lambda PDP.
  • Restrict the S3 policy path with versioned governance Use a dedicated bucket prefix for policies, enable versioning, and require change control for every update.
  • Harden the API Gateway trust boundary Require JWT, IAM, mTLS, or equivalent authenticated access before a client can query the PDP.

What's in the full article

Cerbos' full guide covers the operational detail this post intentionally leaves for the source:

  • Step-by-step AWS SAM deployment for a Lambda-based PDP in a real serverless stack.
  • Exact Dockerfile, bootstrap, and config layout needed to package Cerbos for Lambda.
  • API Gateway proxy integration details for forwarding requests to the authorization service.
  • Practical examples for testing allow and deny decisions with curl or Postman.

👉 Read Cerbos' guide to running a policy decision point on AWS Lambda →

Serverless authorization with Cerbos: where IAM boundaries still matter?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
Topic Tags
cerbos serverless-authorization policy-as-code non-human-identity aws-lambda
Forum Jump:
  Previous Topic
Next Topic  
Related Topics
Topic Tags:  cerbos (163) , serverless-authorization (1) , policy-as-code (41) , non-human-identity (309) , aws-lambda (1) ,
Share:

#1 Authority in NHI Education, Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs), including AI Agents.

Get in Touch

Quick Links

Legal & Policies

©2025 NHIMG. All right reserved.