AWS Verified Access
A service that provides zero trust access to corporate applications without a VPN
Overview
AWS Verified Access is a zero trust network service that provides secure access to internal corporate applications without using a VPN. By combining user identity information with device security posture in policy-based access control, it makes authorization decisions on every request. It integrates with trust providers such as IAM Identity Center, Okta, CrowdStrike, and Jamf to perform identity verification and device posture evaluation in a unified manner. Unlike traditional VPN-based access control, it controls access at the request level rather than the network perimeter, significantly reducing the risk of lateral movement.
Trust Providers and the Policy Engine
Verified Access trust providers are the integration points with external services responsible for verifying user identity and evaluating device security posture. You can register OIDC-compliant providers such as IAM Identity Center, Okta, Azure AD, and Ping Identity as identity providers (IdPs). By integrating CrowdStrike, Jamf, or Microsoft Intune as device trust providers, you can evaluate endpoint security posture in real time - including OS patch status, disk encryption status, and anti-malware software activity. The policy engine evaluates access policies written in the Cedar language. Cedar is an open-source policy language developed by AWS that allows you to declaratively express compound conditions such as "allow access only when a user from the marketing department accesses from a managed device during business hours." Policies are applied at two levels - group level and endpoint level - and a common design is to define baseline access conditions in the group policy while adding application-specific conditions in the endpoint policy.
Endpoint and Access Group Design
A Verified Access endpoint is the entry point to a protected application. You specify an ALB (Application Load Balancer) or network interface as an attachment, routing traffic to the application through Verified Access. ALB attachments are suited for protecting web applications, allowing you to place an existing ALB behind Verified Access as-is. Network interface attachments support TCP-based applications that do not use an ALB, such as SSH, RDP, and database connections. An access group is a logical grouping of endpoints that share the same access policy. Groups are organized by application sensitivity or user base - such as "internal tools," "customer portal," and "development environment" - with policies managed at the group level. A Verified Access instance is the top-level container that bundles multiple access groups, created per region. By configuring a CNAME record in DNS to point to the Verified Access endpoint, users access applications through a standard URL in their browser.
Device Posture Evaluation and Log Auditing
Device posture evaluation is a critical pillar of the Verified Access zero trust model. When integrated with CrowdStrike Falcon or Jamf Pro, it retrieves the device's risk score, OS version, firewall enabled/disabled status, and disk encryption state in real time at the point of access, using these as conditions in Cedar policies. For example, you can apply a policy that "allows access only from devices with a CrowdStrike risk score of Medium or below and disk encryption enabled." When a device's state changes (malware detected, policy violation, etc.), the next access attempt is denied by the policy evaluation, dynamically blocking access from compromised devices. Verified Access access logs can be output to CloudWatch Logs, S3, or Kinesis Data Firehose, recording the allow/deny decision, applied policy, user ID, device information, and source IP for each request. These logs can be analyzed with Athena or OpenSearch for detecting anomalous access patterns and compliance auditing. Pricing consists of a fixed monthly fee per application plus usage-based charges for data processing volume.