A real use case I ran into myself was when trying to grant a minimal set of permissions for creating EMR Notebooks. The AWS documentation for the PassRole permissions was incorrect and my team kept getting generic permission errors (cannot PassRole without saying what it can’t pass the role to) despite following it exactly, so we had to give broader permissions to get unblocked. Obviously they made some changes to the backend such that the documentation was out of date.
That's not Cedar or what Cedar solves. Cedar isn't replacing IAM, AWS's own policy DSL. It's a way for you to create your own IAM, and model it as you like. It has its own specification, and embedding Cedar into applications is a use case. I expect they're open sourcing it.
The hosted offering is AWS runs an evaluation engine at scale ensuring it's low latency so your own customers can access resources gated by your own entity and policy definitions.
I think we're getting wires crossed. I know that, and I know that Cedar doesn't solve this use case. I was jumping on with Krab's comment mentioning why something that works like a policy simulator isn't sufficient.
