Zero Trust Access with AWS Verified Access - VPN-Free Application Connectivity
Eliminate VPNs and achieve zero trust access that verifies user identity and device security posture on every request. Learn about fine-grained control with Cedar policies.
Zero Trust and Verified Access
Zero trust rejects the traditional perimeter-based security model of "trust because you're inside the network" and verifies every access request. VPNs provide a tunnel into the corporate network, but the problem is that once connected to the VPN, you can access all resources. Verified Access controls access at the application level, verifying user identity and device security posture on every request. VPN client installation, VPN connection management, and VPN server scaling become unnecessary, and users access applications directly through their browser.
Trust Providers and Policy Design
Trust providers are components that verify user identity and device trustworthiness. Configure user trust providers such as IAM Identity Center, Okta, or Ping Identity as IdPs, authenticating users with OIDC tokens. Configure device trust providers such as CrowdStrike or Jamf to verify device OS version, patch status, and security software activity. Access policies are written in the Cedar language, allowing or denying access based on combinations of user groups and device states. For example, you can define a policy like "allow access only from users in the engineering group AND from devices with active CrowdStrike."
Endpoint Configuration and Operations
Verified Access endpoints are created by specifying an ALB or network interface. By placing Verified Access in front of an existing ALB, you can apply zero trust access without modifying the application. Endpoints are configured with custom domains and TLS certificates, and users access them via URLs like https://app.example.com. Access logs record user ID, device information, source IP, and policy evaluation results, and can be sent to CloudWatch Logs or S3. Security teams analyze logs to detect suspicious access patterns and use findings to improve policies. To deepen your practical knowledge of VPN-free architectures, specialized books on Amazon can be helpful.
Verified Access Pricing
Verified Access pricing consists of hourly charges per application (endpoint) and data processing charges. Each endpoint costs approximately $0.27/hour (about $194/month), and data processing is approximately $0.02 per GB. Compared to VPN solutions (Client VPN charges approximately $0.05/hour per connection + approximately $0.10/hour per subnet association), Verified Access is simpler and more cost-effective for access control to a small number of applications. However, in environments with many applications, the fixed endpoint costs add up, so a phased rollout to validate cost-effectiveness is recommended.
Summary
Verified Access is a service that eliminates VPNs and provides application access based on zero trust principles. It verifies user identity and device security posture on every request and enables fine-grained access control with Cedar policies. It's ideal for secure application access in remote work environments.