Zero Trust on AWS

Advancing your security model with a Zero Trust approach

What is Zero Trust on AWS?

Zero Trust is a security model centered on the idea that access to data should not be solely made based on network location. It requires users and systems to strongly prove their identities and trustworthiness, and enforces fine-grained identity-based authorization rules before allowing them to access applications, data, and other systems. With Zero Trust, these identities often operate within highly flexible identity-aware networks that further reduce surface area, eliminate unneeded pathways to data, and provide straightforward outer security guardrails. 

Moving to a Zero Trust security model starts with evaluating your workload portfolio and determining where the enhanced flexibility and security of Zero Trust would provide the greatest benefits. Then, you’ll apply Zero Trust concepts - rethinking identity, authentication,  and other context indicators such as device state and health – in order to make real and meaningful security improvements over the status quo. To help you on this journey, a number of AWS identity and networking services provide core Zero Trust building blocks as standard features that can be applied to both new and existing workloads. 

Zero Trust on AWS: Steve Schmidt, VP of Security Engineering & CISO, AWS (11:12)

Amazon Day 1 and Sphere buildings

Ebook - Zero Trust: Charting a Path to Stronger Security

As organizations and cyber risks evolve, security models need to keep up. Learn more about Zero Trust and how you can use it to build a multi-layered security strategy that adapts to the modern environment.

Download the ebook »

Video - Journeys to Zero Trust on AWS (41:27)

Watch this re:Inforce 2023 leadership session with Jess Szmajda, General Manager, AWS Network Firewall & Firewall Manager, and Quint Van Deman, Principal, Office of the CISO,  to learn how customers can use AWS's latest capabilities to implement a Zero Trust security model.

Watch the video »

Blog - Zero Trust architectures: An AWS Perspective

Blog - Zero Trust architectures: An AWS Perspective

Read about the AWS guiding principles for Zero Trust, explore common use cases, and learn how AWS services can help you build your Zero Trust architecture today.

Read the blog »

Video - Achieving Zero Trust with AWS application networking (58:55)

Watch this video to learn about AWS application networking services that allow you to set up a security model that establishes trust by continuously authenticating and monitoring access.

Watch the video »

Guiding principles for building Zero Trust on AWS

Where possible, use identity and network capabilities together

Identity and network controls in AWS can oftentimes complement and augment one another to help you accomplish your specific security objectives. Identity-centric controls offer very strong, flexible, and fine-grained access controls. Network-centric controls enable you to easily establish well understood perimeters within which identity-centric controls can operate. Ideally, these controls should be aware of and augment one another.

Work backwards from your specific use cases

There are a number of common use cases, such as workforce mobility, software-to-software communications, and digital transformation projects that can benefit from the enhanced security provided by Zero Trust. It is important to work backwards from each of the specific use cases that apply to your organization in order to determine the optimal Zero Trust patterns, tools, and approaches that achieve meaningful security advancements.

Apply Zero Trust to your systems and data in accordance with their value

You should think of Zero Trust concepts as additive to your existing security controls. By applying Zero Trust concepts in accordance with the organizational value of the system and data being protected, you can ensure that the benefits to your business are commensurate with the effort.

avalon logo
Avalon Healthcare Solutions

Avalon Healthcare Solutions (Avalon), a provider of lab insights, wanted to give users secure and convenient access to business reports and health data through a web browser—without a VPN. Founded in 2013, Avalon has used a Zero Trust framework on Amazon Web Services (AWS) for its corporate applications from the beginning.

"One of our primary technical objectives is to optimize the user experience while steadfastly upholding zero-trust principles," said Eric Ellis, AVP Enterprise Cloud Technology at Avalon Healthcare Solutions. "As new business requirements emerged, we felt compelled to position our corporate applications at the network's edge. With AWS Verified Access, our Security and Technical engineers were able to provision zero-trust-based access to corporate applications in just minutes, without using VPNs. Verified Access allowed us to tackle the crucial challenge of aligning essential service delivery with user experience enhancement, all without compromising our strict zero-trust policies." 

Learn more about how Avalon Healthcare Solutions enhanced security using AWS Verified Access

neo Financial logo linking to case study
Neo Financial

Neo Financial, a Canadian company, is on the cutting edge of technology, delivering highly valued services like credit cards with no annual fees, unlimited cash back, and flexible credit limits. Neo Financial wanted to move toward a security model that grants resource access based on user credentials, rather than network connection. 

Using Amazon WorkSpaces Secure Browser, Neo Financial is advancing its Zero Trust initiative by granting users access to resources based on user-specific credentials, rather than relying on network access. “Using Amazon WorkSpaces Secure Browser, we have fewer servers to manage and can use single sign-on to manage authentication across our business, helping us achieve our Zero Trust goals,” says Eric Zaporzan, Director of Infrastructure at Neo Financial. “All those factors help make audits simpler for the Payment Card Industry Data Security Standard (PCI DSS) and other compliance measures.” 

Learn more about how Neo Financial implemented Zero Trust access using Amazon WorkSpaces Secure Browser

Zero Trust principles at work within AWS

Signing AWS API requests

Every day, each and every AWS customer interacts confidently and securely with AWS, making billions of AWS API calls over a diverse set of public and private networks. Each one of these signed API requests is individually authenticated and authorized every single time at rates of over a billion requests per second globally. The use of network-level encryption using Transport Layer Security (TLS) combined with powerful cryptographic capabilities of the AWS Signature v4 signing process secures these requests without any regard to the trustworthiness of the underlying network.

AWS service-to-service interactions

When individual AWS services need to call each other, they rely on the same security mechanisms that you use as a customer. For example, the Amazon EC2 Auto Scaling service uses a service-linked role in your account to receive short term credentials and call the Amazon Elastic Compute Cloud (Amazon EC2) APIs on your behalf in response to scaling needs. These calls are authenticated and authorized by AWS Identity and Access Management (IAM), just as your calls to AWS services are. Strong identity-centric controls form the basis of the security model between AWS services.

Zero Trust for IoT

AWS IoT provides the foundational components of Zero Trust to a technology domain where unauthenticated, unencrypted network messaging over the open internet was previously the norm. All traffic between your connected IoT devices and the AWS IoT services is sent over Transport Layer Security (TLS) using modern device authentication including certificate-based mutual TLS. In addition, AWS added TLS support to FreeRTOS bringing key foundational components of Zero Trust to a whole class of microcontrollers and embedded systems.

Read the blog »

Use cases

Software-to-software communications

When two components don’t need to communicate, they shouldn’t be able to, even when residing within the same network segment. You can accomplish this by authorizing specific flows between the components. By eliminating unnecessary communication pathways, you are applying least privilege principles to better protect critical data. Depending on the nature of the systems, you can construct these architectures through simplified and automated service-to-service connectivity with embedded authentication and authorization using Amazon VPC Lattice, dynamic micro-perimeters built using Security Groups, request signing through Amazon API Gateway, and more. 

Secure workforce mobility

The modern workforce requires access to their business applications from anywhere without compromising security. You can accomplish this with AWS Verified Access. This allows you to provide secure access to corporate applications without a VPN. Easily connect your existing identity provider (IdP) and device management service and use access policies to tightly control application access while delivering a seamless user experience and improving security posture. You can also accomplish this with services like the Amazon WorkSpaces Family or Amazon AppStream 2.0, which stream applications as encrypted pixels to remote users while keeping data safely within your Amazon VPC and any connected private networks.

Digital transformation projects

Digital transformation projects often connect sensors, controllers, and cloud-based processing and insights, all operating entirely outside of the traditional enterprise network. To keep your critical IoT infrastructure protected, the family of AWS IoT services can provide end-to-end security over open networks, with device authentication and authorization offered as standard features.

Learn more about AWS Identity

Securely manage access to workloads and applications

Read more 
Sign up for a free account

Instantly get access to the AWS Free Tier. 

Sign up 
Start building in the console

Get started building in the AWS Management Console.

Sign in