Pillar 02

Cedar policies that actually block

Write rules in plain logic. Test against real traffic. Deploy to production. Violations stop execution in milliseconds—not after the fact.

Interactive Demo

Write, test, and deploy policies

See how Cedar policies evaluate against real agent actions in real-time

Cedar Policy Editor

Policy Test Suite

Read public knowledge base

Action: search_kb

classification: publiccontains_pii: false

Pending

Delete user without approval

Action: delete_user

has_approval: false

Pending

Access PII with consent

Action: get_user_data

contains_pii: trueuser_consent: true

Pending

Access PII without consent

Action: get_user_data

contains_pii: trueuser_consent: false

Pending

Cedar Language

Human-readable security rules

Express complex access control logic in a language anyone can understand

Permit Rule

// Allow read access to knowledge base
permit(
  principal,
  action == Action::"tool_call",
  resource
)
when {
  resource.tool_name == "search_kb" &&
  resource.classification == "public"
};

Forbid Rule

// Block destructive actions
forbid(
  principal,
  action == Action::"tool_call",
  resource
)
when {
  resource.tool_name in ["delete_user", "drop_table"]
}
unless {
  principal.has_approval == true
};

Capabilities

Enterprise-grade policy enforcement

Millisecond Evaluation

Policies execute in under 2ms. Your agents stay fast while remaining compliant.

Version Control Ready

Policies are plain text files. Store them in Git, review changes, roll back when needed.

Pre-built Templates

Start with GDPR, SOC 2, or EU AI Act templates. Customize to your requirements.

Violation Alerts

Real-time notifications when policies block actions. Full context for debugging.

Deny by Default

Secure posture out of the box. Explicitly permit what's allowed, block everything else.

Attribute-Based Access

Make decisions based on user roles, data sensitivity, time of day, or custom attributes.

Real Examples

Policies for real-world scenarios

PII Protection

Require explicit consent before accessing personally identifiable information

forbid(principal, action, resource)
when { resource.contains_pii == true }
unless { principal.has_user_consent == true };

Data Boundaries

Ensure EU data never leaves EU infrastructure

forbid(principal, action == Action::"external_call", resource)
when {
  resource.data_origin == "EU" &&
  resource.destination_region != "EU"
};

Rate Limiting

Prevent runaway agents from making too many expensive calls

forbid(principal, action == Action::"model_call", resource)
when {
  principal.calls_last_minute > 100 ||
  resource.model_cost > 0.10
};

Stop violations before they happen

Deploy your first policy in minutes, not months