AWS Verified Access Features

Use AWS Verified Access to provide secure network access without a VPN to corporate applications. Verified Access verifies each access request in real time and only connects users to the applications that they are allowed to access. This removes broad access to corporate applications, reducing the associated risks. To verify users against specific security requirements, Verified Access integrates with AWS and third-party security services to source information about identity, device security status, and location. IT administrators can use Verified Access to author a set of policies that defines a user’s ability to access each application. Verified Access also simplifies security operations by helping administrators efficiently set and monitor access policies, freeing time to update policies, respond to security and connectivity incidents, and audit for compliance standards.

Using Verified Access, you can configure fine-grained access for your applications, ensuring that application access is granted only when users meet the specified security requirements (for example, user identity and device security status). Built on Zero Trust guiding principles, Verified Access validates every application request before granting access. Verified Access also supports AWS WAF, helping you filter out common threats such as SQL injection and cross-site scripting (XSS).

Verified Access is seamlessly integrated with AWS IAM Identity Center, which allows end users to authenticate with SAML-based third-party identity providers (IdPs). If you already have a custom IdP solution that is OpenID Connect compatible, Verified Access can also authenticate users by directly connecting with your IdP.

Verified Access is integrated with third-party device management services to provide additional security context. Therefore, you can additionally assess access attempts using the security and compliance state of the user’s device.

Verified Access passes signed identity context, such as user alias, to your applications. This helps you personalize your applications using this context, removing the need to reauthenticate the user at your application. The signed context also protects your applications in case Verified Access is accidentally disabled, as the application can reject the request if it doesn’t receive the context.

With Verified Access, you can group applications with similar security needs. Each application within a group shares a global policy, achieving a minimum-security bar for the entire group and removing the need to manage individual policies for each application. For example, you can group all “dev” applications and set a group-wide access policy.

Verified Access logs every access attempt so that you can quickly respond to security incidents and audit requests. Verified Access supports delivery of these logs to Amazon Simple Storage Service (Amazon S3), Amazon CloudWatch Logs, and Amazon Kinesis Data Firehose. Verified Access supports the Open Cybersecurity Schema Framework (OCSF) logging format, making it easier for you to analyze logs using one of the supported security information and event management (SIEM) and observability providers.