Zero Trust Network Access - VPN-Free Secure Access with AWS Verified Access
Learn about VPN-less zero trust access with AWS Verified Access. Covers identity provider integration, device trust, policy-based access control, and comparison with traditional VPNs.
VPN Challenges and the Need for Zero Trust
Traditional remote access to internal applications has relied on VPNs. However, VPNs have many challenges. Once connected to a VPN, users can access the entire network, violating the principle of least privilege. VPN concentrator bandwidth becomes a bottleneck, and performance degrades as the number of remote workers increases. VPN client installation and configuration burden users. If VPN credentials are compromised, the entire network is at risk. The zero trust model addresses these challenges based on the principle of "verify every access regardless of network location." AWS Verified Access, released in 2023, is a zero trust network access service that verifies user identity and device trustworthiness before granting access on a per-application basis.
Architecture and Policy Definition
Verified Access consists of three components: Trust Providers, Access Groups, and Endpoints. Access Groups are groups of endpoints that share policies. Endpoints are the protected applications (ALB or network interface). Access policies are defined using the Cedar policy language. Cedar is an open-source policy language developed by AWS that lets you declaratively write access rules. ``` // Allow access when user is in the engineering group and device is compliant permit(principal, action, resource) when { context.identity.groups.contains("engineering") && context.device.status == "compliant" }; ``` You can combine user attributes (groups, email domain), device attributes (OS version, encryption status, patch level), and request attributes (IP address, time of day) for fine-grained control.
Deployment and Integration with Existing Applications
Verified Access can be deployed without modifying existing applications. Place a Verified Access endpoint in front of the ALB, and users access the Verified Access endpoint URL from their browser. Verified Access verifies identity and device, and only forwards requests to the ALB when the policy is satisfied. Users do not need to install a VPN client and can access applications directly from their browser. Verified Access appends user information (email address, groups, etc.) to request headers forwarded to the ALB, so applications can leverage this user information. Integration with CloudWatch Logs records access logs, enabling auditing of who accessed which application and when. To deepen your practical knowledge of zero trust, specialized books (Amazon) can be a helpful resource.
Comparison with VPN and Pricing
The main differences between Verified Access and VPN are access granularity and user experience. VPN provides network-level access - once connected, users can access all resources on the network. Verified Access provides application-level access - users can only access applications permitted by policy. VPN requires client software installation, while Verified Access works with just a browser. VPN bandwidth becomes a bottleneck, while Verified Access leverages AWS's global network for high performance. However, there are cases where VPN is still needed: direct server access via SSH or RDP, non-HTTP protocol communication, and scenarios requiring network-level access still call for VPN (Client VPN). Pricing is $0.27 per endpoint per hour (approximately $197/month) plus $0.02 per GB of data processed.
Summary - Verified Access Adoption Guidelines
AWS Verified Access is a service that controls access to internal applications using a zero trust model without VPN. Its key strengths are integration with identity providers and device management solutions, fine-grained access control with Cedar policies, and deployment without changes to existing applications. It is worth considering as a VPN replacement for use cases where remote workers access web-based internal applications.