Posted On: Nov 5, 2020
AWS Client VPN is a managed, scalable, virtual private network service that enables users to securely access both AWS resources and on-premises networks.
Customers can now enforce additional security authorization policies on connections to a Client VPN endpoint by configuring a client connect handler (referred to as the handler in this post). The handler enables customers to run custom authorization logic during connection establishment after the Client VPN service has authenticated the devices (or users). The handler is implemented through a AWS Lambda function, and can be enabled through the AWS Console or AWS CLI.
The handler protects customer investments by taking advantage of the existing policies defined (and enforced) in Identity Provider and Mobile Device Management (MDM) software. The handler allows enterprise IT administrators to enforce access based on IP address, geolocation and time (for example: deny access during a maintenance window, or allow access during certain hours). End-users in enterprise organizations might bring their own devices (BYOD), that might require additional security authorization checks and posture assessment (for example: minimum version of Operating System), which can help enforce remediation actions. The handler can also be customized for gathering connection establishment auditing information for certain devices (or users).
Customers of Client VPN can immediately take advantage of Client Connect Handler at no additional cost. This feature is available in all regions where AWS Client VPN operates.