AWS Verified Access – Now Generally Available
Posted: Thursday May 11, 2023
Author: Jason Garbis
At the end of 2022, AWS announced a preview of a new remote access mechanism, AWS Verified Access. This service follows Zero Trust principles, and gives users secure and precise access to applications. I reviewed this preview service here, if you want a refresher.
AWS has now released this service as Generally Available – you can see their blog on this topic here.
So, what’s new and improved since the preview?
AWS has expanded the set of integrated Trust Providers (Identity and Device validation partners), to now include Beyond Identity, CrowdStrike, CyberArk, Cisco Duo, Jamf, JumpCloud, Okta, and Ping Identity.
However, they are still relying on a browser extension to obtain the device context – which I don’t love. Getting this from the device management server would be better (granted, that request would need to come from a server-side component, but still, it’d be better).
More importantly, they are now making user context available to to the applications, pushing it in an HTTP header (see their docs here ) . This is really interesting, and in fact is the same design that Google took with their BeyondCorp implementation. There isn’t (yet) a body of work or toolkit around how to use these claims inside of applications to make authorization decisions, but that will be something to look for in the future.
It also appears that only the identity-provider claims are sent to the application, not device claims – that’ll have to wait for an updated release.
Overall, it’s great to see major players like AWS putting in the work, and releasing services that their customers can use to make Zero Trust real.