Configuring AWS Verified Access for ZTNA
Overview
AWS Verified Access is a Zero Trust Network Access (ZTNA) service that provides secure, VPN-less access to corporate applications hosted in AWS. It evaluates each access request in real-time against granular conditional access policies written in the Cedar policy language, ensuring access is granted per-application only when specific security requirements such as user identity and device security posture are met and maintained. Verified Access integrates with AWS IAM Identity Center, third-party identity providers (Okta, CrowdStrike, JumpCloud, Jamf), and device management solutions. For multi-account deployments, AWS Resource Access Manager (RAM) enables sharing Verified Access groups across organizational units.
Prerequisites
- AWS account with appropriate IAM permissions
- Identity provider (AWS IAM Identity Center, Okta, or OIDC-compatible)
- Device trust provider (CrowdStrike, Jamf, JumpCloud, or AWS Verified Access native)
- Internal Application Load Balancer (ALB) or network interface endpoint
- Understanding of Cedar policy language
- VPC with application workloads to protect
Architecture
End User (Browser)
|
| HTTPS
v
+------+--------+
| Verified |
| Access |
| Endpoint |
| (Public DNS) |
+------+--------+
|
+------+--------+
| Verified | <-- Cedar Access Policies
| Access | <-- Identity Provider Signals
| Instance | <-- Device Trust Signals
| (Policy |
| Evaluation) |
+------+--------+
|
+------+--------+
| Verified |
| Access Group |
| (App Group) |
+------+--------+
|
+------+--------+
| Internal ALB |
| or ENI Target |
+------+--------+
|
+------+--------+
| Application |
| (Private VPC) |
+--------------+Core Components
Verified Access Instance
The regional entity that evaluates access requests against policies.
# Create Verified Access Instance via AWS CLI
aws ec2 create-verified-access-instance \
--description "Production Zero Trust Instance" \
--tag-specifications 'ResourceType=verified-access-instance,Tags=[{Key=Environment,Value=production}]'Trust Providers
Identity Trust Provider (AWS IAM Identity Center)
# Create identity trust provider
aws ec2 create-verified-access-trust-provider \
--trust-provider-type user \
--user-trust-provider-type iam-identity-center \
--policy-reference-name "idc" \
--description "IAM Identity Center trust provider" \
--tag-specifications 'ResourceType=verified-access-trust-provider,Tags=[{Key=Type,Value=identity}]'Identity Trust Provider (OIDC - Okta)
aws ec2 create-verified-access-trust-provider \
--trust-provider-type user \
--user-trust-provider-type oidc \
--oidc-options '{
"Issuer": "https://company.okta.com/oauth2/default",
"AuthorizationEndpoint": "https://company.okta.com/oauth2/default/v1/authorize",
"TokenEndpoint": "https://company.okta.com/oauth2/default/v1/token",
"UserInfoEndpoint": "https://company.okta.com/oauth2/default/v1/userinfo",
"ClientId": "0oa1234567890",
"ClientSecret": "client-secret-here",
"Scope": "openid profile groups"
}' \
--policy-reference-name "okta" \
--description "Okta OIDC trust provider"Device Trust Provider (CrowdStrike)
aws ec2 create-verified-access-trust-provider \
--trust-provider-type device \
--device-trust-provider-type crowdstrike \
--device-options '{
"TenantId": "crowdstrike-tenant-id",
"PublicSigningKeyUrl": "https://api.crowdstrike.com/zero-trust/v2/certificates"
}' \
--policy-reference-name "crowdstrike" \
--description "CrowdStrike device trust provider"Attach Trust Providers to Instance
# Attach identity provider
aws ec2 attach-verified-access-trust-provider \
--verified-access-instance-id vai-0123456789abcdef \
--verified-access-trust-provider-id vatp-0123456789abcdef
# Attach device provider
aws ec2 attach-verified-access-trust-provider \
--verified-access-instance-id vai-0123456789abcdef \
--verified-access-trust-provider-id vatp-device123456Verified Access Groups
# Create a group for web applications
aws ec2 create-verified-access-group \
--verified-access-instance-id vai-0123456789abcdef \
--description "Production Web Applications" \
--policy-document 'permit(principal, action, resource)
when {
context.okta.groups.contains("production-access") &&
context.crowdstrike.assessment.overall > 50
};' \
--tag-specifications 'ResourceType=verified-access-group,Tags=[{Key=Tier,Value=web}]'Verified Access Endpoints
# Create endpoint for ALB-backed application
aws ec2 create-verified-access-endpoint \
--verified-access-group-id vag-0123456789abcdef \
--endpoint-type load-balancer \
--attachment-type vpc \
--domain-certificate-arn arn:aws:acm:us-east-1:123456789012:certificate/xxxx \
--application-domain app.internal.company.com \
--endpoint-domain-prefix myapp \
--load-balancer-options '{
"LoadBalancerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/internal-alb/xxxx",
"Port": 443,
"Protocol": "https",
"SubnetIds": ["subnet-abc123", "subnet-def456"]
}' \
--security-group-ids sg-0123456789abcdef \
--description "Internal HR Application"Cedar Policy Language
Policy Basics
// Allow access for users in the engineering group with compliant devices
permit(principal, action, resource)
when {
context.okta.groups.contains("engineering") &&
context.crowdstrike.assessment.overall > 70 &&
context.crowdstrike.assessment.sensor_config.status == "active"
};
// Deny access from unmanaged devices
forbid(principal, action, resource)
when {
!context.crowdstrike.assessment.sensor_config.status == "active"
};Advanced Policy Examples
// Time-based access - only during business hours (UTC)
permit(principal, action, resource)
when {
context.okta.groups.contains("contractors") &&
context.http_request.http_method == "GET" &&
context.crowdstrike.assessment.overall > 80
};
// Restrict admin access to specific user group with high device trust
permit(principal, action, resource)
when {
context.idc.groups.contains("admins") &&
context.crowdstrike.assessment.overall > 90 &&
context.crowdstrike.assessment.os_version.startswith("Windows 11") ||
context.crowdstrike.assessment.os_version.startswith("macOS 14")
};
// Allow read-only access for lower trust levels
permit(principal, action, resource)
when {
context.okta.groups.contains("read-only") &&
context.crowdstrike.assessment.overall > 30 &&
context.http_request.http_method == "GET"
};Group-Level vs Endpoint-Level Policies
// Group-level policy (applies to all endpoints in the group)
// Set on the Verified Access Group
permit(principal, action, resource)
when {
context.okta.groups.contains("employees") &&
context.crowdstrike.assessment.overall > 50
};
// Endpoint-level policy (additional restrictions for specific app)
// Set on the Verified Access Endpoint
permit(principal, action, resource)
when {
context.okta.groups.contains("hr-team") &&
context.okta.email.endsWith("@company.com")
};Terraform Configuration
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}
# Verified Access Instance
resource "aws_verifiedaccess_instance" "main" {
description = "Production Zero Trust Access"
tags = {
Environment = "production"
}
}
# Identity Trust Provider (OIDC)
resource "aws_verifiedaccess_trust_provider" "okta" {
policy_reference_name = "okta"
trust_provider_type = "user"
user_trust_provider_type = "oidc"
description = "Okta identity provider"
oidc_options {
authorization_endpoint = "https://company.okta.com/oauth2/default/v1/authorize"
client_id = var.okta_client_id
client_secret = var.okta_client_secret
issuer = "https://company.okta.com/oauth2/default"
scope = "openid profile groups"
token_endpoint = "https://company.okta.com/oauth2/default/v1/token"
user_info_endpoint = "https://company.okta.com/oauth2/default/v1/userinfo"
}
}
# Device Trust Provider (CrowdStrike)
resource "aws_verifiedaccess_trust_provider" "crowdstrike" {
policy_reference_name = "crowdstrike"
trust_provider_type = "device"
device_trust_provider_type = "crowdstrike"
description = "CrowdStrike device trust"
device_options {
tenant_id = var.crowdstrike_tenant_id
}
}
# Attach providers to instance
resource "aws_verifiedaccess_instance_trust_provider_attachment" "okta" {
verifiedaccess_instance_id = aws_verifiedaccess_instance.main.id
verifiedaccess_trust_provider_id = aws_verifiedaccess_trust_provider.okta.id
}
resource "aws_verifiedaccess_instance_trust_provider_attachment" "crowdstrike" {
verifiedaccess_instance_id = aws_verifiedaccess_instance.main.id
verifiedaccess_trust_provider_id = aws_verifiedaccess_trust_provider.crowdstrike.id
}
# Verified Access Group
resource "aws_verifiedaccess_group" "web_apps" {
verifiedaccess_instance_id = aws_verifiedaccess_instance.main.id
description = "Production Web Applications"
policy_document = <<-CEDAR
permit(principal, action, resource)
when {
context.okta.groups.contains("production-access") &&
context.crowdstrike.assessment.overall > 50
};
CEDAR
tags = {
Tier = "web"
}
}
# Verified Access Endpoint
resource "aws_verifiedaccess_endpoint" "internal_app" {
verified_access_group_id = aws_verifiedaccess_group.web_apps.id
endpoint_type = "load-balancer"
attachment_type = "vpc"
domain_certificate_arn = aws_acm_certificate.app.arn
application_domain = "app.internal.company.com"
endpoint_domain_prefix = "myapp"
description = "Internal Application"
load_balancer_options {
load_balancer_arn = aws_lb.internal.arn
port = 443
protocol = "https"
subnet_ids = var.private_subnet_ids
}
security_group_ids = [aws_security_group.verified_access.id]
policy_document = <<-CEDAR
permit(principal, action, resource)
when {
context.okta.groups.contains("app-users")
};
CEDAR
}
# Logging configuration
resource "aws_verifiedaccess_instance_logging_configuration" "main" {
verifiedaccess_instance_id = aws_verifiedaccess_instance.main.id
access_logs {
cloudwatch_logs {
enabled = true
log_group = aws_cloudwatch_log_group.verified_access.name
}
s3 {
enabled = true
bucket_name = aws_s3_bucket.access_logs.id
prefix = "verified-access/"
}
}
}
resource "aws_cloudwatch_log_group" "verified_access" {
name = "/aws/verified-access/production"
retention_in_days = 90
}Multi-Account Deployment with AWS RAM
# Share Verified Access Group across accounts via RAM
resource "aws_ram_resource_share" "verified_access" {
name = "verified-access-share"
allow_external_principals = false
}
resource "aws_ram_resource_association" "group_share" {
resource_arn = aws_verifiedaccess_group.web_apps.verified_access_group_arn
resource_share_arn = aws_ram_resource_share.verified_access.arn
}
resource "aws_ram_principal_association" "workload_ou" {
principal = "arn:aws:organizations::123456789012:ou/o-xxxx/ou-xxxx-xxxxxxxx"
resource_share_arn = aws_ram_resource_share.verified_access.arn
}Monitoring and Logging
# Query access logs in CloudWatch
aws logs filter-log-events \
--log-group-name /aws/verified-access/production \
--filter-pattern '{ $.status_code = "403" }' \
--start-time $(date -d '1 hour ago' +%s000)
# CloudWatch alarm for access denials
aws cloudwatch put-metric-alarm \
--alarm-name "VerifiedAccess-HighDenialRate" \
--metric-name "AccessDenied" \
--namespace "AWS/VerifiedAccess" \
--statistic Sum \
--period 300 \
--threshold 100 \
--comparison-operator GreaterThanThreshold \
--evaluation-periods 2 \
--alarm-actions arn:aws:sns:us-east-1:123456789012:security-alertsSecurity Best Practices
- Layer policies: Use group-level policies for broad controls and endpoint-level for app-specific restrictions
- Require device trust: Always include device posture checks in Cedar policies
- Enable access logging: Send to both CloudWatch and S3 for real-time monitoring and long-term retention
- Use RAM for multi-account: Share groups across OUs instead of duplicating configuration
- Rotate OIDC secrets: Automate client secret rotation via Secrets Manager
- Test policies in non-production: Validate Cedar policies before production deployment
- Set high device trust thresholds: Require overall score above 70 for production access
- Monitor for policy drift: Use AWS Config rules to detect unauthorized changes
Verification Criteria
Confirm successful execution by validating:
- [ ] All prerequisite tools and access requirements are satisfied
- [ ] Each workflow step completed without errors
- [ ] Output matches expected format and contains expected data
- [ ] No security warnings or misconfigurations detected
- [ ] Results are documented and evidence is preserved for audit
Compliance Framework Mapping
This skill supports compliance evidence collection across multiple frameworks:
- SOC 2: CC6.1 (Logical Access), CC6.2 (Credentials), CC6.3 (Provisioning)
- ISO 27001: A.9.1 (Access Control), A.9.4 (System Access Control), A.13.1 (Network Security)
- NIST 800-53: AC-2 (Account Management), AC-3 (Access Enforcement), SC-7 (Boundary Protection)
- NIST CSF: PR.AC (Access Control), PR.PT (Protective Technology)
Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.
Deploying This Skill with Claw GRC
Agent Execution
Register this skill with your Claw GRC agent for automated execution:
# Install via CLI
npx claw-grc skills add configuring-aws-verified-access-for-ztna
# Or load dynamically via MCP
grc.load_skill("configuring-aws-verified-access-for-ztna")Audit Trail Integration
When executed through Claw GRC, every step of this skill generates tamper-evident audit records:
- SHA-256 chain hashing ensures no step can be modified after execution
- Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
- Trust score impact — successful execution increases your agent's trust score
Continuous Compliance
Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.