Run Cerbos natively inside AWS Lambda
Embed the Cerbos PDP directly inside your Lambda function for serverless authorization with no external network calls.
Embedded PDP
Cerbos runs in-process inside your Lambda function with no sidecar or external service required
No network hop
Authorization checks happen in-process, eliminating network latency entirely
Cerbos Hub bundles
Load pre-compiled policy bundles from Cerbos Hub for fast cold starts and centralized policy management
What is Cerbos?
Cerbos is an open-source authorization layer that decouples access control from your application code. It runs as a stateless Policy Decision Point (PDP) that evaluates fine-grained policies at request time.
Authorization policies are written in human-readable YAML supporting RBAC, ABAC, and conditional rules. They can be updated, tested, and deployed independently of your application.
Deploying Cerbos via AWS Lambda gives you a production-ready authorization service that scales horizontally and fits naturally into your existing infrastructure and observability stack.
How to run Cerbos in AWS Lambda
- Add the Cerbos binary to your deployment package, Include the Cerbos binary or use the Lambda layer provided in the cerbos-aws-lambda repository.
- Bundle or configure policies, Include policies in the deployment package or configure Cerbos to load from Cerbos Hub at startup.
- Initialize the PDP in your handler, Start the embedded Cerbos PDP during function initialization so it persists across warm invocations.
- Check authorization in-process, Call the local Cerbos PDP from your handler code to evaluate authorization without any network calls.
FAQ
How does Cerbos run inside Lambda?
Cerbos runs as an embedded binary within your Lambda function. The PDP starts during cold start and evaluates policies in-process, eliminating external network calls for authorization checks.
Does Cerbos add latency to Lambda cold starts?
Cerbos adds a small amount of cold start time to initialize the PDP. Once warm, policy evaluations are sub-millisecond since they happen in-process with no network overhead.
How do I load policies in Lambda?
Bundle policies with your Lambda deployment package, or configure Cerbos to load policies from Cerbos Hub at startup. Cerbos Hub provides pre-compiled policy bundles optimized for fast loading.
Learn more about Cerbos
Related integrations
View all integrations →
Cerbos + AWS Lambda
- Cerbos runs alongside your workloads in AWS Lambda
- No external databases or message queues required
- Built-in metrics, distributed tracing, and structured logging
- Stateless PDP instances scale horizontally
Authorization for AI systems
By industry
By business requirement
Useful links
What is Cerbos?
Cerbos is an end-to-end enterprise authorization software for Zero Trust environments and AI-powered systems. It enforces fine-grained, contextual, and continuous authorization across apps, APIs, AI agents, MCP servers, services, and workloads.
Cerbos consists of an open-source Policy Decision Point, Enforcement Point integrations, and a centrally managed Policy Administration Plane (Cerbos Hub) that coordinates unified policy-based authorization across your architecture. Enforce least privilege & maintain full visibility into access decisions with Cerbos authorization.