Deploy Cerbos on Amazon ECS
Run the Cerbos PDP as an ECS task or sidecar container alongside your application services.
Task or sidecar
Run Cerbos as a standalone ECS service or as a sidecar container in your application task definition
Fargate compatible
Works with both EC2 and Fargate launch types without any changes to the Cerbos container
Service discovery
Register Cerbos with ECS Service Discovery or place behind an ALB for automatic endpoint resolution
What is Cerbos?
Cerbos is an open-source authorization layer that decouples access control from your application code. It runs as a stateless Policy Decision Point (PDP) that evaluates fine-grained policies at request time.
Authorization policies are written in human-readable YAML supporting RBAC, ABAC, and conditional rules. They can be updated, tested, and deployed independently of your application.
Deploying Cerbos via Amazon Elastic Container Service gives you a production-ready authorization service that scales horizontally and fits naturally into your existing infrastructure and observability stack.
How to deploy Cerbos on Amazon ECS
- Create a task definition, Add the official Cerbos container image to a task definition, either as a standalone task or as a sidecar alongside your application container.
- Configure policy loading, Set environment variables or mount a configuration file to point Cerbos at a Git repository or Cerbos Hub.
- Create an ECS service, Deploy the task definition as an ECS service with your desired replica count and launch type (EC2 or Fargate).
- Connect your services, Use a Cerbos SDK to send authorization checks from your application to the PDP via service discovery or a load balancer.
FAQ
Should I run Cerbos as a separate ECS task or a sidecar?
A standalone ECS service behind a load balancer is the simplest approach. For the lowest latency, run Cerbos as a sidecar container in the same task definition as your application.
Does Cerbos require any external dependencies?
No. Cerbos is fully stateless and requires no database or message queue. Policies can be loaded from a Git repository or Cerbos Hub, no additional infrastructure needed.
Does Cerbos work with Fargate?
Yes. The Cerbos container image runs on both EC2 and Fargate launch types without modification.
Learn more about Cerbos
Related integrations
View all integrations →
Cerbos + Amazon Elastic Container Service
- Cerbos runs alongside your workloads in Amazon Elastic Container Service
- No external databases or message queues required
- Built-in metrics, distributed tracing, and structured logging
- Stateless PDP instances scale horizontally
Authorization for AI systems
By industry
By business requirement
Useful links
What is Cerbos?
Cerbos is an end-to-end enterprise authorization software for Zero Trust environments and AI-powered systems. It enforces fine-grained, contextual, and continuous authorization across apps, APIs, AI agents, MCP servers, services, and workloads.
Cerbos consists of an open-source Policy Decision Point, Enforcement Point integrations, and a centrally managed Policy Administration Plane (Cerbos Hub) that coordinates unified policy-based authorization across your architecture. Enforce least privilege & maintain full visibility into access decisions with Cerbos authorization.