Configuring AWS Verified Access for ZTNA

Configuring AWS Verified Access for ZTNA

What Is This?

AWS Verified Access is a managed Zero Trust Network Access (ZTNA) service designed to deliver secure, VPN-less connectivity to internal applications running in AWS. Unlike traditional VPN-based solutions, AWS Verified Access evaluates every user and device attempting to access your applications in real-time. Access decisions are enforced based on fine-grained conditional policies authored in Cedar, a purpose-built policy language. This service integrates with both AWS-native and third-party identity providers, as well as device posture management solutions, to ensure only authenticated and compliant users and devices can connect to your sensitive workloads.

With Verified Access, organizations can implement granular application access controls, leveraging user identity, device posture, and contextual risk signals. This skill focuses on configuring AWS Verified Access to establish zero trust network access for internal applications, leveraging identity and device posture verification, and writing effective access policies.

Why Use It?

The shift towards Zero Trust security frameworks and the increased prevalence of remote work have rendered perimeter-based defenses like VPNs insufficient. AWS Verified Access helps organizations:

• Provide secure, application-level access without the need for VPN clients or complex network routing.
• Move towards a least-privilege, zero trust architecture where access is continually assessed based on user identity, device posture, and contextual signals.
• Meet compliance and policy requirements by enforcing strong access controls and auditability (aligned with NIST CSF controls such as PR.AA-01, PR.AA-05, and PR.IR-01).
• Simplify user experiences by enabling seamless browser-based or client-based access to internal applications.
• Integrate with a wide range of identity and device posture providers, supporting both AWS-native (IAM Identity Center) and popular third-party solutions (Okta, CrowdStrike, Jamf, JumpCloud).
• Leverage AWS Resource Access Manager (RAM) to scale zero trust access across multiple AWS accounts.

How to Use It

1. Prerequisites

• AWS account with permissions to create Verified Access endpoints and groups.
• Internal application hosted in AWS (e.g., behind an Application Load Balancer).
• Identity provider integrated with AWS IAM Identity Center or a supported third-party IdP.
• (Optional) Device posture provider such as CrowdStrike or Jamf for device compliance checks.

2. Create a Verified Access

Instance

Start by creating a Verified Access instance, which acts as the control plane for your access policies and endpoints.

aws ec2 create-verified-access-instance --description "My ZTNA Instance"

3. Integrate an Identity

Provider

Configure the identity provider that will authenticate your users. For AWS IAM Identity Center:

aws ec2 create-verified-access-trust-provider \
  --policy-reference-name "AAD-Trust" \
  --description "Azure AD SAML Trust" \
  --type "user" \
  --user-trust-provider-type "saml" \
  --saml-options MetadataFile=@aad-metadata.xml

Repeat similar steps for other supported IdPs.

4. (Optional) Integrate a Device Trust Provider

To enforce device posture, integrate a provider such as CrowdStrike or Jamf:

aws ec2 create-verified-access-trust-provider \
  --policy-reference-name "CrowdStrike-Device" \
  --description "CrowdStrike Device Posture Trust" \
  --type "device" \
  --device-trust-provider-type "crowdstrike" \
  --device-options DeviceTrustProviderArn=arn:aws:device-trust:...

5. Configure Verified Access

Group

A Verified Access group allows you to define and enforce granular access policies for one or more applications.

aws ec2 create-verified-access-group \
  --verified-access-instance-id va-123456789abcdef0 \
  --policy-enabled \
  --description "Application Access Group"

6. Write Cedar

Policies

Create policies in Cedar to define who can access what, and under which conditions. For example, to allow access only to users in a specific group and compliant devices:

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "verifiedaccess:Access",
      "Principal": {"AWS": ["arn:aws:iam::account:user/Alice"]},
      "Condition": {
        "StringEquals": {
          "aws:PrincipalTag/Department": "Engineering"
        },
        "Bool": {
          "device:Compliant": true
        }
      }
    }
  ]
}

Attach this policy to your Verified Access group:

aws ec2 update-verified-access-group-policy \
  --verified-access-group-id vag-123456789abcdef0 \
  --policy-document file://policy.json

7. Configure Verified Access

Endpoints

Create endpoints for each internal application, mapping them to your Verified Access group:

aws ec2 create-verified-access-endpoint \
  --verified-access-group-id vag-123456789abcdef0 \
  --application-domain "internal-app.example.com" \
  --endpoint-type "load-balancer" \
  --load-balancer-options LoadBalancerArn=arn:aws:elasticloadbalancing:...

8. (Optional) Share Across Accounts with AWS RAM

Use AWS RAM to share Verified Access groups with other AWS accounts or organizational units for multi-account deployments.

When to Use It

• When rolling out zero trust access controls for internal applications without requiring VPNs.
• When you need to enforce policies based on user identity and device posture.
• If regulatory compliance or audit requirements mandate granular, contextual access controls.
• For scalable, cross-account access controls in multi-account AWS environments.

Important Notes

• AWS Verified Access currently supports web applications and APIs behind AWS load balancers.
• Policy correctness and least-privilege principles are critical - test all Cedar policies thoroughly.
• Integrate with logging and monitoring solutions to capture access decisions for compliance and incident response.
• Device posture enforcement depends on integration with supported device trust providers.
• Regularly review and update policies as your workforce, applications, and risk posture evolve.

For detailed code samples and updates, refer to the source repository.