Zero trust access over non-HTTP(S) protocols using AWS Verified Access-SEC358-NEW

Introduction to AWS Verified Access

Overview

• AWS Verified Access is a managed reverse proxy service that provides zero-trust based connectivity to HTTPS applications on AWS.
• It integrates with identity providers and device management providers to evaluate user identity and device posture before granting access to applications.
• Verified Access logs each access request, enabling audit, security investigation, and troubleshooting.

Key Features

• Easy onboarding and management of applications and access policies.
• Seamless integration with identity providers and device management solutions.
• Continuous verification of user identity and device posture during a session.
• Support for HTTP/HTTPS applications as well as non-HTTP protocols like TCP and UDP.
• Automatic DNS management for dynamic resources.
• Lightweight connectivity client for accessing non-HTTP resources.
• Centralized client management through the Connectivity Client Manager.

Benefits

• Improved security posture through zero-trust access controls.
• Simplified security operations with centralized policy management.
• Scalable onboarding of resources, including dynamic and persistent components.
• Reduced reliance on static credentials for legacy applications.
• Detailed visibility and auditing of access requests.

Support for Non-HTTP Protocols

• Verified Access now supports TCP and UDP protocols, in addition to HTTP/HTTPS.
• This allows secure access to a wider range of resources, such as SSH, databases, and other custom applications.
• The same zero-trust principles are applied, with continuous evaluation of user identity and device posture.
• Two new endpoint types are introduced:
  1. TCP Endpoint: For persistent resources like applications, databases, and tools.
  2. Network Endpoint: For ephemeral resources like EC2 instances that scale dynamically.

Onboarding Non-HTTP Resources

• TCP Endpoints are used to onboard persistent resources, such as RDS instances and databases.
• Network Endpoints are used to onboard groups of ephemeral resources, defined by IP address ranges and ports.
• Verified Access automatically connects to resources within the defined network and generates public DNS records for end-user access.
• This eliminates the need for manual onboarding and DNS management for dynamic resources.

Connectivity Client

• A new Connectivity Client application is introduced for accessing non-HTTP resources.
• The client runs in the background and allows users to continue using their preferred tools (e.g., SQL Workbench, PuTTY).
• The client integrates with device trust providers to retrieve real-time device posture information for policy enforcement.

Connectivity Client Manager

• The Connectivity Client Manager is a global service that simplifies client management operations.
• Administrators can centrally manage and distribute client configurations to end-users.
• The manager automatically keeps client configurations up-to-date as new applications or regions are added.
• Users can connect to the manager using a simple "magic string" and are then provisioned with the appropriate client configuration.

Logging and Auditing

• Verified Access logs each access request, including user identity and device metadata.
• The logs can be used for auditing, security investigations, and troubleshooting purposes.
• Customers can integrate the logs with their existing observability partners.

Pricing

• Verified Access pricing is based on the number of endpoints (HTTP, TCP, Network) and the number of user connections.
• The first 100 user connections per endpoint are free, and then a nominal charge applies for additional connections.
• This pricing model allows customers to adopt zero-trust access gradually, starting with their most critical applications.