All integrations
AWS App Mesh
Authorization extensions

Policy-driven authorization for AWS App Mesh via Envoy ext_authz

Cerbos enforces fine-grained authorization within AWS App Mesh, using the same Envoy ext_authz protocol that powers the native Envoy integration.

Built on Envoy ext_authz

Built on Envoy ext_authz

App Mesh uses Envoy sidecars as its data plane, so Cerbos integrates via the same native ext_authz protocol

Unified policies

Unified policies

The same Cerbos policies that govern your application layer extend to your service mesh

Mesh-level enforcement

Mesh-level enforcement

Authorization at every service hop, managed from a single control plane

How Cerbos works with AWS App Mesh

AWS App Mesh provides a native integration point for Cerbos, extending policy-driven authorization to another layer of your stack without custom glue code.

Cerbos policies are written in human-readable YAML supporting RBAC, ABAC, and conditional rules. The same policies that govern your application layer now extend to AWS App Mesh, enforced consistently everywhere.

A unified control plane means one set of policies, one audit trail, and one management workflow, regardless of how many services and infrastructure layers your system spans.

Policy-as-codeHuman-readable YAML policies managed like source codeScalable PDPStateless policy decision point with sub-millisecond latencyCentralized managementManage, test, and deploy policies from a single control plane

How Cerbos works with AWS App Mesh

AWS App Mesh is a managed service mesh that uses Envoy as its sidecar proxy. Because it uses Envoy as its data plane, Cerbos integrates via the same ext_authz gRPC protocol used in standalone Envoy deployments.

  1. Deploy the Cerbos PDP, Run a Cerbos PDP instance accessible from your App Mesh Envoy sidecars.
  2. Configure ext_authz on the Envoy sidecar, Add the ext_authz filter to your App Mesh virtual node configuration, pointing to the Cerbos PDP.
  3. Cerbos evaluates your policies, The same YAML policies used across your entire stack are evaluated and an allow or deny decision is returned.
  4. The sidecar enforces the decision, Authorized requests are forwarded to your service. Unauthorized requests are rejected at the mesh layer.

FAQ

How does Cerbos integrate with AWS App Mesh?

AWS App Mesh uses Envoy as its sidecar proxy, so it inherits Envoy's ext_authz protocol. Cerbos acts as the external authorization service — the Envoy sidecar forwards each request to Cerbos for policy evaluation before routing to your service.

Is this the same integration as Envoy?

Yes. App Mesh uses Envoy sidecars as its data plane. The Cerbos integration uses the same ext_authz gRPC protocol, same policy evaluation, and same configuration. You configure it via App Mesh virtual node settings.

Do I need to change my application code?

No. Authorization happens at the sidecar proxy layer. Your services receive only pre-authorized traffic.

Learn more about Cerbos

How Cerbos worksCerbos PDPCerbos HubWebinars and ebooksFeatures & use casesSuccess stories

Related integrations

View all integrations →
Consul Connect
Consul ConnectCerbos authorization via Envoy ext_authz within Consul Connect sidecars
Authorization extensions
Contour
ContourCerbos authorization via Envoy ext_authz at the Contour ingress controller
Authorization extensionsAPI gateways
Emissary-Ingress
Emissary-Ingress (Ambassador)Cerbos authorization via Envoy ext_authz at the Emissary-Ingress API gateway
Authorization extensionsAPI gateways
Envoy
Envoy External AuthorizationCerbos as a native ext_authz gRPC service for Envoy proxies
Authorization extensionsAPI gateways
Gloo Gateway
Gloo GatewayCerbos authorization via Envoy ext_authz at the Gloo Gateway edge
Authorization extensionsAPI gateways
Istio
Istio Service MeshExternal authorizer for service-to-service calls in Istio meshes
Authorization extensions

Cerbos + AWS App Mesh

  • AWS App Mesh delegates authorization to Cerbos via native integration
  • One set of policies enforced across the entire stack
  • Unified audit trail for all authorization decisions
  • Policies managed without code changes or redeployments
Book a free policy workshopTry the Playground