AWS Verified Access laws are described.
AWS Verified Access helps improve your organization’s security posture by using security trust providers to grant access to applications. This service grants access to applications only when the user’s identity and the user’s device meet configured security requirements. In this blog post, we will provide an overview of trust providers and policies, then walk through a Verified Access policy for securing your corporate applications.
<h2>Understanding trust data and policies</h2> <p>Verified Access policies enable you to use trust data from trust providers and help protect access to corporate applications that are hosted on <a href="https://aws.amazon.com/" target="_blank" rel="noopener">Amazon Web Services (AWS)</a>. When you create a <a href="https://docs.aws.amazon.com/verified-access/latest/ug/verified-access-groups.html#create-verified-access-group" target="_blank" rel="noopener">Verified Access group</a> or a <a href="https://docs.aws.amazon.com/verified-access/latest/ug/verfied-access-endpoints.html" target="_blank" rel="noopener">Verified Access endpoint</a>, you create a Verified Access policy, which is applied to the group or both the group and endpoint. Policies are written in <a href="https://www.cedarpolicy.com/en" target="_blank" rel="noopener">Cedar</a>, an AWS policy language. With Verified Access, you can express policies that use the trust data from the trust providers that you configure, such as corporate identity providers and device security state providers.</p> <p>Verified Access receives trust data or claims from different trust providers. Currently, Verified Access supports two types of trust providers. The first type is an identity trust provider. Identity trust providers manage the identities of digital users, including the user’s email address, groups, and profile information. The second type of trust provider is a device trust provider. Device trust providers manage the device posture for users, including the OS version of the device, risk scores, and other metrics that reflect device posture. When a user makes a request to Verified Access, the request includes claims from the configured trust providers. Verified Access customers permit or forbid access to applications by evaluating the claims in Cedar policies. We will walk through the types of claims that are included from trust providers and the options for custom trust data.</p> <h2>End-to-end Cedar policy use cases</h2> <p>Let’s look at how to use policies with your applications. In general, you use Verified Access to control access to an application for purposes of authentication and initial authorization. This means that you use Verified Access to authenticate the user when they log in and to confirm that the device posture of the end device meets minimum criteria. For authorization logic to control access to actions and resources inside the application, you pass the identity claims to the application. The application uses the information to authorize users within the application after authentication. In other words, not every identity claim needs to be passed or checked in Verified Access to allow traffic to pass to the application. You can and should put additional logic in place to make decisions for users when they gain access to the backend application after initial authentication and authorization by Verified Access. From an identity perspective, this additional criteria might be an email address, a group, and possibly some additional claims. From a device perspective, Verified Access does not at this time pass device trust data to the end application. This means that you should use Verified Access to perform checks involving device posture.</p> <p>We will explore the evolution of a policy by walking you through four use cases for Cedar policy. You can test the claim data and policies in the <a href="https://www.cedarpolicy.com/aws-verified-access" target="_blank" rel="noopener">Verified Access Cedar Playground</a>. For more information about Verified Access, see <a href="https://docs.aws.amazon.com/verified-access/latest/ug/auth-policies.html" target="_blank" rel="noopener">Verified Access policies</a> and types of <a href="https://docs.aws.amazon.com/verified-access/latest/ug/trust-providers.html" target="_blank" rel="noopener">trust providers</a>.</p> <h3>Use case 1: Basic policy</h3> <p>For many applications, you only need a simple policy to provide access to your users. This can include the identity information only. For example, let’s say that you want to write a policy that uses the user’s email address and matches a certain group that the user is part of. Within the Verified Access trust provider configuration, you can include <span>“openid email groups”</span> as the scope, and your <a href="https://openid.net/connect/" target="_blank" rel="noopener">OpenID Connect (OIDC)</a> provider will include each claim associated with the scopes that you have configured with the OIDC provider. When the user John in this example uses case logs in to the OIDC provider, he receives the following claims from the OIDC provider. For this provider, the Verified Access Trust Provider is configured for <span>“identity”</span> to be the policy reference name.</p> <div class="hide-language"> <pre class="unlimited-height-code"><code class="lang-text">{“identity”: { “email”: “john@example.com”, “groups”: [ “finance”, “employees” ] }}
With these claims, you can write a policy that matches the email domain and the group, to allow access to the application, as follows.</p> <div class="hide-language"> <pre class="unlimited-height-code"><code class="lang-text">permit(principal, action, resource)when { // Returns true if the email ends in “@example.com” context.identity.email like “@example.com” && // Returns true if the user is part of the “finance” group context.identity.groups.contains(“finance”)};
Utilize case 2: Custom claims made in accordance with a plan
You may also be interested in the personality provider’s company-specific or unique promises from time to time. Depending on how you set up the personality service, there are claims that apply to the user endpoint. The scopes you specify when you set up the personality company determine this for OIDC companies. OIDC scopes are used by Verified Access to grant access to consumer information. This covers things like your name, address, contact confirmation, and unique characteristics. A set of users attributes, which we refer to as claims, are returned by each opportunity that you configure for the identification provider. You set up the optics and statements in the OIDC company, which it adds to the person terminal, based on which claims you want to meet on in your policy. Notice the Standard Claims OIDC requirement for a list of common claims, including account, e-mail, name, and others.
In this case study, you decide to add more company-specific claims to Verified Access as your plan develops from the initial coverage. This applies to both the amount of each individual and the business unit. The scope of the Verified Access trust provider configuration can be” openid email groups profile ,” and your OIDC provider will list each claim connected to the scopes you have set up with them. Now, when user John logs in to the OIDC company, he is presented with the following claims, along with statements for the business system and part from the” account” scope of the service.
The business can create a plan that matches these claims in order to grant access to the software, as follows.
Utilize case 3: A plan should include a device trust provider.
A machine trust provider is the other kind of trusted party. CrowdStrike and Jamf, two system trust companies, are currently supported by Verified Access. The extension in the web browser receives information about the user’s device from the device agent on their device, as described in AWS Verified Access Request Verification Flow for HTTP / HTTPS traffic. What chance data and system data to include in the claims, as well as how that info is formatted, are determined by each device trust provider. The statements are either static or customisable depending on the device trust company.
With the development of the plan, you then include system trust provider checks in our example use case. John’s computer will install the Verified Access browser extension, and both the personality and system believe providers, who both use the policy guide name” crwd,” will make the following claims to verified access.
To grant access to the software, you can create the following plan in accordance with these claims.
See Third-party confidence providers for more details about these results.
Use situation 4: Trust providers for various devices
Many device trust providers are the source of the last update to your policy. Verified Access gives users the option to compare different system trust providers under the same policy. This gives your business freedom, as in this case use case, it has various device trust providers set up on various types of users’ devices. See Third-party believe providers for details on many of the claims that each unit trust provider makes to AWS. John’s claims remain the same under this updated plan, but it can fit Jamf or CrowdStrike data on trust. The policy mention name for Jamf is” jamf.”
Integrating AWS Verified Access with Jamf Device Identity is where you can find more details about using jamf with verified exposure.
Conclusion
In this blog article, we discussed the various believe providers that are available for Verified Access, gave an overview of Cedar‘s scheme for AWS verified exposure, and went over various use cases as you develop your Cedar plan.
Visit the Cedar Playground to check your personal states and policies. Notice the AWS Verified Access records for more details if you want.
Desire to learn more about AWS Security? Become our Twitter follower.
<!-- '"` -->