Setting up AWS Verified Access
SECURED REMOTE ACCESS — AWS VERIFIED ACCESS
CONTENTS:
· Overview about Secured Remote Access
· Some common methods used for secure remote access
· About AWS verified access
CONTENTS:
· Overview about Secured Remote Access
· Some common methods used for secure remote access
· About AWS verified access
SECURED REMOTE ACCESS:
Definition
Secured remote access refers to the ability to establish a secure and encrypted connection to a network or system from a remote location. It enables authorized users to access resources, applications, and data within an organization’s infrastructure from outside the organization’s physical premises or network.
Secured remote access is crucial for organizations that have employees, partners, or contractors who need to connect to the organization’s network or systems remotely, such as when working from home or while traveling. It allows individuals to maintain productivity and access the necessary resources securely, without compromising the organization’s network security.
Some common methods used for secured remote access:
1. Virtual Private Network (VPN)
2. Remote Desktop Protocol (RDP)
3. Secure Shell (SSH)
4. Secure Sockets Layer/Transport Layer Security (SSL/TLS)
5. Remote Access Software
Note: In AWS Verified Access, the concept of SSL/TSL is used.
AWS VERIFIED ACCESS:
Overview
A VPN traditionally provides remote access to programs when traveling or working from home. A wide range of apps are accessible to the remote workforce after they have successfully authenticated via the VPN, based on a number of policies set in separate systems like the VPN gateway, firewalls, identity provider, business device management solution, etc. Since these regulations are often handled by various teams, there may be some overlaps, which makes it challenging to identify application access problems. Instead of using more recent protocols like OIDC that are more suited to contemporary corporate patterns, internal applications frequently rely on older authentication protocols like Kerberos that were designed with the LAN in mind.
AWS Verified Access is a service that helps you implement secure access to corporate applications without requiring a VPN. Built on Zero Trust principles, AWS Verified Access validates every application request before granting access. This helps to protect your applications from unauthorized access, even if your users’ devices are compromised.
AWS Verified Access works by using a combination of factors to verify each user’s identity and device before granting access to an application. These factors include:
● User identity: AWS Verified Access validates the user’s identity using a variety of methods, such as multi-factor authentication (MFA) and risk-based authentication.
● Device identity: AWS Verified Access validates the device’s identity using a variety of methods, such as device fingerprinting and security posture.
● Application context: AWS Verified Access considers the application context when making access decisions. For example, if a user is trying to access a sensitive application, AWS Verified Access may require additional verification steps.
AWS Verified Access can be used to secure a wide variety of corporate applications, including:
● Web applications
● Mobile applications
● Desktop applications
● APIs
AWS Verified Access is a powerful tool that can help you to improve the security of your corporate applications. By implementing AWS Verified Access, you can help to protect your applications from unauthorized access, even if your users’ devices are compromised.
Here are some of the benefits of using AWS Verified Access:
● Improved security: AWS Verified Access helps to protect your applications from unauthorized access, even if your users’ devices are compromised.
● Reduced complexity: AWS Verified Access removes the need for a VPN, which simplifies the remote connectivity experience for end users and reduces the management complexity for IT administrators.
● Increased visibility: AWS Verified Access provides centralized access logs, which can help you to improve your security posture and respond to security incidents more quickly.
If you are looking for a way to improve the security of your corporate applications, AWS Verified Access is a great option. It is a powerful, easy-to-use service that can help you to protect your applications from unauthorized access.
Pricing
There are two components that determine the verified access bill:
i. Hourly charges for associated application
ii. Per GB processed.
A Visual Guide to Setting up AWS Verified Access
IAM role require for AWS Verified Access are:-
● AmazonEC2FullAccess
● AmazonRoute53FullAccess
● AmazonVPCFullAccess
● AWSCertificateManagerFullAccess
● AWSLambda_FullAccess
● AWSSSODirectoryAdministrator
● AWSSSOMemberAccountAdministrator
● AWSSSOReadOnly
● IAMFullAccess
Add below policy in IAM with name AWSVerifiedAccessPolicy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowVerifiedAccessAction",
"Effect": "Allow",
"Action": [
"verified-access:AllowVerifiedAccess"
],
"Resource": "*"
}
]
}
you can see my permission policies below in IAM
Then open lambda
Then create function
Fill basic information like shown below
Write below code in lambda
def lambda_handler(event, context):
return {
'headers': {
'Content-Type': 'text/html'
},
'statusCode': 200,
'body': "<html>hello world</html>"
}
Then deploy code
Then go to ec2
Make a target group
Then choose lambda function
Give target group name
Choose your lambda function
Create target group
Then You can see your target group
Create load balancer
Create Application load balancer
Then give loadbalancer name then in scheme choose Internal otherwise it won’t show up while setting up Verified Access endpoint
Choose any two subnets
Then create security group
Open only port 80 in security group for load balancer
Then create security group
Then choose security group you just created with port 80,choose target group you just created above
Then create load balancer
Then click on view load balancer
You can see load balancer you just created
Then go to IAM Identity Center
Then click on add user
Give primary information like shown below
Then click on create group
Then Give group name and create group
Then choose group you want to give user access to then next
Then review and add user
Then gaurav is added to gk groups
Then you or user get the mail open it
Then accept the Accept invitation
Then create a new password
Then sign in with username
Give password you just created
Then you can see you do not have any application
Then go to VPC
Then create verified access trust provider
Then fill detail like shown below,Policy reference name we need later on to write policy in verified access group
Then create verified access trust provider
Then you can see trust provider is made
Then go to verified access instance
Then fill details like shown below and choose verified access trust provider you just created
Then create verified access instance
Then the verified access instance has been made
Then create verified access group
Fill the details,choose verified access instance you just created
Then in policy details copy and paste below code and change groups id below,Change Policy reference in my case sso which you have created in verified access trust provider.
permit(principal,action,resource)
when {
context.sso.groups has "643834f8-4041-70a9-94e1-fec2dfc550fe"
};
You can see groups id in IAM Identity Center like shown below
Then apply policy like shown below with your group id
Then create verified access group
Then you can see verified access groups been created
Then create verified access endpoint
Fill details,choose verified access group you just created
Give application domain for domain certificate,visit Amazon ACM like shown below
Click on request
Next
Then give fully qualified domain name then choose validation method DNS validation
Then request
You can create records in route 53 just by clicking like shown below
Or you can copy paste CNAME name and CNAME value in route 53
Go to route 53
Then just create record
Give the CNAME name and CNAME value like shown below
Then click on create records
Then after some time the ACM domain certificate will be Issued
Then go back to verified access endpoint and choose domain certificate ARN
Then choose vpc,security group which we created for load balancer which have only port 80 open,choose load balancer and HTTP ,give port 80
Then choose subnets which you have chosen in load balancer,you can see below my load balancer subnets
Below two subnet are use in my load balancer
Then create verified Access endpoint
Then click in verified Access endpoint ID
Then copy endpoint domain
Then create record in route 53
Create record like shown below of endpoint domain
Then create record
Then verified Access endpoints will take some time to be active
After it get active
Go to the browser and paste your application domain name. It should be open in https.If it asks for a password and username gives it which you made in IAM Identity Center while making the user and groups.
Then you can see hello world from the lambda functions.
Then the changes made in lambda will be changed in application domain name too
You can see the changes below
Process complete for AWS Verified Access
If you want to use instance instead of lambda follow below step:
Launch an instance like shown below
Open all port in security group like shown below
The subnet you have chosen here should be chosen in load balancer too
Then Launch an ec2 instance
The instance has been Launch
After instance lunch i have install nginx in this instance
Then create target group
Choose instances
Give target group name
Register targets like shown below
Then create load balancer
Choose application load balancer
Fill basic configuration the scheme should be Internal
Choose one subnet that is use in ec2 instance
Choose two subnet one which is used in ec2 another as your wish
Then create security group
Only open port 80 in security group for load balancer
Choose security groups and target group which you just created
Then create load balancer
Then rest of the process are same from (above) IAM Identity Center.
By following the rest of the steps from above,At last you can see nginx open in your application domain name,which you have installed in ec2 instance.
Process of AWS Verified Access completed
If you want to do AWS VERIFIED ACCESS with Network interfaces without load balancer follow below steps:
Launch an ec2 instance
I installed apache in my instance
sudo yum install httpd
sudo systemctl start httpd
sudo systemctl status httpd
After that go to network interface their you will see network interface automatically created while instance is launched
Then go to IAM Identity Center and follow same step from above
After you reach Verified Access endpoints follow below step:-
create verified Access endpoint
Give application domain and choose your issued ACM and choose your vpc,security groups which have only port 80 opened
Choose Network interface,http and port 80 and choose network interface which is created while launching ec2
Then create verified Access endpoint
verified Access endpoints will be pending
you need to create record in route 53 of verified Access endpoint domain
create record like shown below
verified Access endpoints take some time to get Active
now you can see Active in verified Access endpoints
Then browser your domain
https://gk.gauravkhatiwada11.com.np/?
For a password and username gives it which you made in IAM Identity Center while making the user and groups.
Then the installed apache in instance will open in Application Domain
process completed
Documentation by:Gaurav khatiwada
2023 June 6