AWS recently announced the general availability of Verified Access, a managed service that provides secure access to corporate applications without relying on a VPN. With the GA, the cloud provider introduced support for AWS WAF and the ability to pass signed identity context to end applications.
Released as a preview during the re:Invent conference, the new service can be used to support a work-from-anywhere model, evaluating each access request in real time based on the user’s identity and device, using fine-grained policies.
Reducing the risks associated with remote connectivity, Verified Access can help secure distributed users, manage corporate application access, and centralize access logs: the new service evaluates access requests and logs request data, supporting the analysis of security and connectivity incidents.
Built on Zero Trust principles, Verified Access has centralized policy enforcement to grant access to the application behind the service, with support for Cedar policies to permit or forbid access to specific applications. According to the cloud provider, corporate applications with Site-to-Site VPN and internet-facing corporate applications are the two most common enterprise architectures that can benefit from moving to the new managed option.
Verified Access now supports integration with AWS WAF to protect web applications from application-layer threats and can pass a signed identity context to an application endpoint. Riggs Goodman III, senior global tech lead at AWS, and Shovan Das, principal product manager, explain the benefits:
Previously, users would request access to the application behind Verified Access with both identity and device claims, but the claims were not available to the end applications. Verified Access now passes signed identity context, including things like email, username, and other attributes from the identity provider to the applications. This enables you to personalize your application using this context, eliminating the need to re-authenticate the user for personalization.
Customers are charged for the amount of data processed and pay an hourly fee for each application on Verified Access, starting at $0.02 per GB and $0.27/hr. The pricing model has received criticisms from the community, with some users suggesting that Cloudflare VPN Replacement is often a cheaper solution.
Corey Quinn, chief cloud economist at The Duckbill Group, comments:
The last time a VPN-less service was put out by AWS was Amazon WorkLink, which has oh-so-very-quietly been deprecated in favor of 'WorkSpaces Web" whatever that might be. Hopefully this one fares better.
Verified Access integrates with multiple third-party identity and device management services, including Beyond Identity, CrowdStike, CyberArk, Cisco Duo, Jamf, JumpCloud, Okta, and Ping Identity. The service is currently available in ten AWS regions, including Northern Virginia, Frankfurt, and Dublin.