Amazon Web Services is launching the general availability of AWS Verified Access, a new networking service designed to use zero trust principles to give customers secure access to corporate applications without a VPN.
According to the company, AWS Verified Access reduces the risks associated with remote connectivity by enabling customers to implement a work-from-anywhere model in a secure and scalable manner.
AWS first announced AWS Verified Access during re:Invent 2022 when it was released as a preview, and the company has since added two new features to enhance the product: an integration with AWS Web Application Firewall and support for passing signed identity context to application endpoints.
According to AWS, Verified Access’ integration with AWS Web Application Firewall (WAF) protects web applications from application-layer threats. This allows users to filter out common exploits such as SQL injection and cross-site scripting using AWS WAF while enabling AWS Zero Trust based fine-grained access for applications using user identity and device security status.
“AWS WAF lets you monitor the HTTP(S) requests that are forwarded to your protected application endpoints,” the company says in a blog. “You do this by defining a web access control list (Web ACL) and then associating it with one or more Verified Access instances you want to protect.”
The company says AWS WAF is enabled on a per Verified Access instance basis and adheres to the rules IT professionals define for application endpoints. When a user requests access to an application behind Verified Access, AWS WAF will inspect the HTTP request. Using AWS WAF rule statements, IT can provide matching criteria and the action to take on matches, including permitting or blocking the traffic. AWS WAF permits or blocks the traffic before handing the traffic over to Verified Access for an endpoint policy evaluation.
In addition, Verified Access now supports passing signed identity context to application endpoints. Previously, users would request access to the application behind Verified Access with both identity and device claims, but the claims were not available to the end applications.
Verified Access now passes signed identity context, including things like email, username and other attributes from the identity provider to the applications, AWS says.
“This enables you to personalize your application using this context, eliminating the need to re-authenticate the user for personalization,” the company says. “The signed context allows the application to verify cryptographically that Verified Access has authenticated the request.”
After Verified Access authenticates the user successfully and permits the request, it sends the user claims received from the identity trust provider to the application endpoint. Verified Access signs the user’s claim so that applications can verify the user’s identity and sends an HTTP header (x-amzn-ava-user-context) to the application endpoints in the format of a signed JSON Web Token (JWT). These claims are received by either the organization’s OIDC provider or the AWS Identity Access and Management (IAM) Identity Center.
Read the company’s blog to learn more about migrating applications to Verified Access and common use cases.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
Leave a Reply