Setting up AWS Verified Access

MSP Medium
15 min readJun 6, 2023

SECURED REMOTE ACCESS — AWS VERIFIED ACCESS

CONTENTS:

· Overview about Secured Remote Access

· Some common methods used for secure remote access

· About AWS verified access

CONTENTS:

· Overview about Secured Remote Access

· Some common methods used for secure remote access

· About AWS verified access

SECURED REMOTE ACCESS:

Definition

Secured remote access refers to the ability to establish a secure and encrypted connection to a network or system from a remote location. It enables authorized users to access resources, applications, and data within an organization’s infrastructure from outside the organization’s physical premises or network.

Secured remote access is crucial for organizations that have employees, partners, or contractors who need to connect to the organization’s network or systems remotely, such as when working from home or while traveling. It allows individuals to maintain productivity and access the necessary resources securely, without compromising the organization’s network security.

Some common methods used for secured remote access:

1. Virtual Private Network (VPN)

2. Remote Desktop Protocol (RDP)

3. Secure Shell (SSH)

4. Secure Sockets Layer/Transport Layer Security (SSL/TLS)

5. Remote Access Software

Note: In AWS Verified Access, the concept of SSL/TSL is used.

AWS VERIFIED ACCESS:

Overview

A VPN traditionally provides remote access to programs when traveling or working from home. A wide range of apps are accessible to the remote workforce after they have successfully authenticated via the VPN, based on a number of policies set in separate systems like the VPN gateway, firewalls, identity provider, business device management solution, etc. Since these regulations are often handled by various teams, there may be some overlaps, which makes it challenging to identify application access problems. Instead of using more recent protocols like OIDC that are more suited to contemporary corporate patterns, internal applications frequently rely on older authentication protocols like Kerberos that were designed with the LAN in mind.

AWS Verified Access is a service that helps you implement secure access to corporate applications without requiring a VPN. Built on Zero Trust principles, AWS Verified Access validates every application request before granting access. This helps to protect your applications from unauthorized access, even if your users’ devices are compromised.

AWS Verified Access works by using a combination of factors to verify each user’s identity and device before granting access to an application. These factors include:

● User identity: AWS Verified Access validates the user’s identity using a variety of methods, such as multi-factor authentication (MFA) and risk-based authentication.

● Device identity: AWS Verified Access validates the device’s identity using a variety of methods, such as device fingerprinting and security posture.

● Application context: AWS Verified Access considers the application context when making access decisions. For example, if a user is trying to access a sensitive application, AWS Verified Access may require additional verification steps.

AWS Verified Access can be used to secure a wide variety of corporate applications, including:

● Web applications

● Mobile applications

● Desktop applications

● APIs

AWS Verified Access is a powerful tool that can help you to improve the security of your corporate applications. By implementing AWS Verified Access, you can help to protect your applications from unauthorized access, even if your users’ devices are compromised.

Here are some of the benefits of using AWS Verified Access:

● Improved security: AWS Verified Access helps to protect your applications from unauthorized access, even if your users’ devices are compromised.

● Reduced complexity: AWS Verified Access removes the need for a VPN, which simplifies the remote connectivity experience for end users and reduces the management complexity for IT administrators.

● Increased visibility: AWS Verified Access provides centralized access logs, which can help you to improve your security posture and respond to security incidents more quickly.

If you are looking for a way to improve the security of your corporate applications, AWS Verified Access is a great option. It is a powerful, easy-to-use service that can help you to protect your applications from unauthorized access.

Pricing

There are two components that determine the verified access bill:

i. Hourly charges for associated application

ii. Per GB processed.

A Visual Guide to Setting up AWS Verified Access

IAM role require for AWS Verified Access are:-

● AmazonEC2FullAccess

● AmazonRoute53FullAccess

● AmazonVPCFullAccess

● AWSCertificateManagerFullAccess

● AWSLambda_FullAccess

● AWSSSODirectoryAdministrator

● AWSSSOMemberAccountAdministrator

● AWSSSOReadOnly

● IAMFullAccess

Add below policy in IAM with name AWSVerifiedAccessPolicy

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowVerifiedAccessAction",
"Effect": "Allow",
"Action": [
"verified-access:AllowVerifiedAccess"
],
"Resource": "*"
}
]
}

you can see my permission policies below in IAM

Then open lambda

Then create function

Fill basic information like shown below

Write below code in lambda

def lambda_handler(event, context):
return {
'headers': {
'Content-Type': 'text/html'
},
'statusCode': 200,
'body': "<html>hello world</html>"
}

Then deploy code

Then go to ec2

Make a target group

Then choose lambda function

Give target group name

Choose your lambda function

Create target group

Then You can see your target group

Create load balancer

Create Application load balancer

Then give loadbalancer name then in scheme choose Internal otherwise it won’t show up while setting up Verified Access endpoint

Choose any two subnets

Then create security group

Open only port 80 in security group for load balancer

Then create security group

Then choose security group you just created with port 80,choose target group you just created above

Then create load balancer

Then click on view load balancer

You can see load balancer you just created

Then go to IAM Identity Center

Then click on add user

Give primary information like shown below

Then click on create group

Then Give group name and create group

Then choose group you want to give user access to then next

Then review and add user

Then gaurav is added to gk groups

Then you or user get the mail open it

Then accept the Accept invitation

Then create a new password

Then sign in with username

Give password you just created

Then you can see you do not have any application

Then go to VPC

Then create verified access trust provider

Then fill detail like shown below,Policy reference name we need later on to write policy in verified access group

Then create verified access trust provider

Then you can see trust provider is made

Then go to verified access instance

Then fill details like shown below and choose verified access trust provider you just created

Then create verified access instance

Then the verified access instance has been made

Then create verified access group

Fill the details,choose verified access instance you just created

Then in policy details copy and paste below code and change groups id below,Change Policy reference in my case sso which you have created in verified access trust provider.

permit(principal,action,resource)
when {
context.sso.groups has "643834f8-4041-70a9-94e1-fec2dfc550fe"
};

You can see groups id in IAM Identity Center like shown below

Then apply policy like shown below with your group id

Then create verified access group

Then you can see verified access groups been created

Then create verified access endpoint

Fill details,choose verified access group you just created

Give application domain for domain certificate,visit Amazon ACM like shown below

Click on request

Next

Then give fully qualified domain name then choose validation method DNS validation

Then request

You can create records in route 53 just by clicking like shown below

Or you can copy paste CNAME name and CNAME value in route 53

Go to route 53

Then just create record

Give the CNAME name and CNAME value like shown below

Then click on create records

Then after some time the ACM domain certificate will be Issued

Then go back to verified access endpoint and choose domain certificate ARN

Then choose vpc,security group which we created for load balancer which have only port 80 open,choose load balancer and HTTP ,give port 80

Then choose subnets which you have chosen in load balancer,you can see below my load balancer subnets

Below two subnet are use in my load balancer

Then create verified Access endpoint

Then click in verified Access endpoint ID

Then copy endpoint domain

Then create record in route 53

Create record like shown below of endpoint domain

Then create record

Then verified Access endpoints will take some time to be active

After it get active

Go to the browser and paste your application domain name. It should be open in https.If it asks for a password and username gives it which you made in IAM Identity Center while making the user and groups.

Then you can see hello world from the lambda functions.

Then the changes made in lambda will be changed in application domain name too

You can see the changes below

Process complete for AWS Verified Access

If you want to use instance instead of lambda follow below step:

Launch an instance like shown below

Open all port in security group like shown below

The subnet you have chosen here should be chosen in load balancer too

Then Launch an ec2 instance

The instance has been Launch

After instance lunch i have install nginx in this instance

Then create target group

Choose instances

Give target group name

Register targets like shown below

Then create load balancer

Choose application load balancer

Fill basic configuration the scheme should be Internal

Choose one subnet that is use in ec2 instance

Choose two subnet one which is used in ec2 another as your wish

Then create security group

Only open port 80 in security group for load balancer

Choose security groups and target group which you just created

Then create load balancer

Then rest of the process are same from (above) IAM Identity Center.

By following the rest of the steps from above,At last you can see nginx open in your application domain name,which you have installed in ec2 instance.

Process of AWS Verified Access completed

If you want to do AWS VERIFIED ACCESS with Network interfaces without load balancer follow below steps:

Launch an ec2 instance

I installed apache in my instance

sudo yum install httpd
sudo systemctl start httpd
sudo systemctl status httpd

After that go to network interface their you will see network interface automatically created while instance is launched

Then go to IAM Identity Center and follow same step from above

After you reach Verified Access endpoints follow below step:-

create verified Access endpoint

Give application domain and choose your issued ACM and choose your vpc,security groups which have only port 80 opened

Choose Network interface,http and port 80 and choose network interface which is created while launching ec2

Then create verified Access endpoint

verified Access endpoints will be pending

you need to create record in route 53 of verified Access endpoint domain

create record like shown below

verified Access endpoints take some time to get Active

now you can see Active in verified Access endpoints

Then browser your domain

https://gk.gauravkhatiwada11.com.np/?

For a password and username gives it which you made in IAM Identity Center while making the user and groups.

Then the installed apache in instance will open in Application Domain

process completed

Documentation by:Gaurav khatiwada

2023 June 6

https://www.linkedin.com/in/gaurav-khatiwada-977290176/

--

--