Revolutionizing Remote Access with AWS Verified Access

A Journey to Zero Trust Security

Image source: Unsplash

In the era of cloud computing and remote work, traditional VPNs have often proven to be cumbersome and complex for both end-users and IT administrators. AWS Verified Access emerges as a game-changer, providing a secure, user-friendly alternative that aligns with the Zero Trust philosophy.

In today’s fast-paced digital world, remote connectivity has become a critical aspect of business operations. AWS introduced verified Access in November 2022; this service aligns with the principles of Zero Trust, emphasizing the importance of trustworthiness and security. In this medium post, I’ll take you on a journey through the transformational power of AWS Verified Access and how it is reshaping the landscape of remote connectivity for corporate applications.

Understanding AWS Verified Access

AWS Verified Access is a service that validates every application request before granting access. Doing so eliminates the need for a VPN, simplifying the remote connectivity experience for end-users and reducing management complexity for IT administrators.

As organizations adapt to the ever-evolving technology landscape, the need for secure and seamless remote access solutions has never been greater. The traditional approach of using VPNs typically leads to complex configurations, performance issues, and security vulnerabilities. AWS Verified Access responds to these challenges. It represents a shift towards a more modern, user-centric, and security-driven approach to remote connectivity.

Talking of the features of AWS Verified Access, let’s start with policies to enable you to establish access rules for your AWS-hosted applications. These policies are written in Cedar (the language used for writing authorization policies). They are designed to evaluate trust data sourced from the identity or device-based trust providers you’ve configured to work with Verified Access, for example:

In terms of compliance, AWS Verified Access allows configuring your environment to adhere to FIPS (Federal Information Processing Standard) Publication 140–2, a U.S. government standard that outlines security requirements for cryptographic modules used to protect sensitive information. It defines various security levels and criteria that must be met by these modules, ensuring they provide strong encryption and security measures for applications and systems handling sensitive data.

Another important capability that provides AWS Verified Access is how you can manage the user claims. Once an AWS Verified Access instance successfully authenticates a user, it securely transmits the user claims obtained from the Identity Provider (IdP) to the Verified Access endpoint. These user claims are digitally signed, ensuring that applications can authenticate the source and integrity of the claims, confirming their legitimacy. In the course of this operation, an HTTP header is also appended.

User claims help systems and applications make informed decisions about the user’s access and privileges without needing to query a centralized database. Common user claims include sub (subject, representing the user’s unique identifier), name (the user’s name), email (the user’s email address), and custom claims that can include additional user-specific information.

Deploying AWS Verified Access

In our journey, we’ll dive into a real-world example. We’ll deploy a basic network and launch an example private corporate application running on ECS (Elastic Container Service) within a private segment. What makes this deployment remarkable is the use of AWS Verified Access to connect to this corporate app via our AWS Single Sign-On (SSO) identity provider. The following diagram depicts the architecture of this implementation:

Diagram of the implementation

Let's analyze the diagram:

1. The users will navigate to the URL of the verified access endpoint.
2. The verified access endpoint will redirect the user to the SSO portal to force the authentication.
3. Once identity is validated, verified access allows access to the application load balancer internal type.
4. The load balancer forwards the traffic to the application.
5. Finally, the user will be able to interact with the corporate application.

In terms of costs, AWS Verified Access offers a straightforward pricing model. You pay for what you use without upfront commitments. The costs depend on application hours (billed per hour for each associated application — North Virginia $0.27/hr) and data processing (charged per gigabyte — North Virginia $0.02/GB). It’s a cost-efficient way to ensure secure access to your corporate applications with no hidden fees.

To deploy the infrastructure proposal above, we need to have preconfigured in our AWS account the following services:

• Route53 public hosted zone.
• Public ACM certificate.
• AWS Identity Center (SSO) configured.

If we have the previous services configured now, we’ll clone the following repository, AWS Verified Access Lab, and follow the instructions in the README.md file. After a few minutes, our infrastructure will be deployed, and we’ll be able to access our corporate example app. The URL to access will be https://aws-verified.your_hosted_zone_name.com since the application is behind an internal AWS Application Load Balancer, AWS Verified Access redirects us to the SSO portal to validate our identity.

Once our identity is validated, we can securely access our corporate application portal.

Flow after deployment

When you try to access the deployed corporate application, you will be redirected to the SSO portal to validate your identity:

AWS SSO Portal

Validating the authentication, the SSO portal will redirect you to the corporate example application. In this part, AWS Verified Access takes command, and you will be able to reach your corporate internal application, removing the necessity to configure a VPN connection:

Example of corporate application, redirected after SSO identity validation.

Conclusions

The adoption of AWS Verified Access represents a pivotal step in modernizing and fortifying IT security practices. By aligning with the Zero Trust guiding principles, this service enhances the overall security posture and streamlines remote access for end-users while simplifying management for IT administrators. The elimination of the traditional VPN requirement and the rigorous validation of each application request underscores its commitment to the principle of “never trust, always verify.” As organizations increasingly shift towards cloud computing and remote work environments, the significance of AWS Verified Access cannot be overstated. It offers a cost-effective, application-centric, continuously monitored security approach that helps safeguard critical corporate resources. With its transformative power, AWS Verified Access is reshaping the landscape of IT security, making it a cornerstone for building future-ready, secure, and efficient IT environments.

Thanks for reading; I hope this post has provided valuable insights and resources for enhancing your AWS private connections.

References

• AWS Verified Access official documentation.
• Zero Trust.