Scribd Logo
Upload

Welcome to Scribd!

  • Aws Verified Access Request Verification Flow Ra 7

    Uploaded by

    Selma Selmi
    15 views5 pages

    Original Title

    aws-verified-access-request-verification-flow-ra-7

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    15 views5 pages

    Aws Verified Access Request Verification Flow Ra 7

    Uploaded by

    Selma Selmi

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 5

    1.

    With AWS IAM Identity Center – Initial Request

    AWS Verified Access 2. With AWS IAM Identity Center – After Initial Request
    Request Verification Flow 3. With AWS IAM Identity Center and Device Trust Provider – Initial Request

    4. With AWS IAM Identity Center and Device Trust Provider – After Initial Request

    Reviewed for technical accuracy February 22, 2023


    © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Reference Architecture
    The initial request is made to the
    1
    AWS Verified Access Request Verification Flow
    application domain hosted on an AWS
    Verified Access (AVA) endpoint. This
    request does not have an identity cookie.
    With AWS IAM Identity Center – Initial Request
    The first redirect is made to the identity
    2 provider, AWS IAM Identity Center, to
    collect the user identity.

    The browser redirects to the IAM Identity


    3
    Region Center URL. The user completes the IAM
    Identity Center sign-in process.

    user device AWS Verified Access VPC IAM Identity Center redirects the user to
    4 the application domain to validate the
    identity token.
    user browser 1 policy document 7 The browser sends the application domain
    5 endpoint the IAM Identity Center token,
    2 which AVA uses to set the user identity
    5 Permit (principal, action, resource) when { Application Load cookie.
    … Balancer
    6
    } AVA redirects the user with the user
    Forbid (principal, action, resource) when { 6 identity cookie to the original URI.

    AVA receives the request with the user
    } Network Load 7
    8 identity cookie. For each user request, AVA
    Balancer will validate the user request against the
    4 policy for the application using the identity
    of the user.
    3
    AVA proxies validated requests to
    Elastic network 8 application endpoints in the customer
    interface virtual private cloud (VPC).
    AWS IAM
    Identity Center

    Reviewed for technical accuracy February 22, 2023


    © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Reference Architecture
    The initial request to the application
    1
    AWS Verified Access Request Verification Flow
    domain hosted on an AVA endpoint, which
    does have a user identity cookie.

    With AWS IAM Identity Center – After Initial Request 2


    For each user request, AVA will validate the
    user request against the policy for the
    application using the identity of the user.

    AVA proxies validated requests to


    3 application endpoints in the customer VPC.
    Region

    user device AWS Verified Access VPC Note: The identity cookie will have a lifetime
    associated with it. When that lifetime expires, the
    user will need to re-authenticate with IAM Identity
    user browser 1 policy document 2
    Center.

    Permit (principal, action, resource) when { Application Load


    … Balancer
    }
    Forbid (principal, action, resource) when {

    } Network Load
    3
    Balancer

    Elastic network
    interface
    AWS IAM
    Identity Center

    Reviewed for technical accuracy February 22, 2023


    © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Reference Architecture
    Note: The local device agent is continuously

    AWS Verified Access Request Verification Flow


    gathering device posture information. The browser
    extension transmits up-to-date information for each
    request to an AVA-wrapped endpoint.
    With AWS IAM Identity Center and Device Trust Provider – Initial Request Steps 1-5 are the same as in the first use case
    1:5 (“With AWS IAM Identity Center – Initial
    Request”).

    The browser extension detects the 302


    6 redirect, but does not know the application
    Region domain is an AVA domain. No device
    information cookie is added.

    user device AWS Verified Access When AVA expects device information but
    VPC
    does not receive it, it redirects the user to the
    device validation domain. AVA will repeat
    steps 3-6, but IAM Identity Center will
    user browser 1 policy document 10 bypass sign-in as cookies from previous sign-
    2 in are found.
    8 5
    Permit (principal, action, resource) when { Application Load The device validation domain sends a 302
    Balancer 7 redirect. This tells the browser extension it
    AWS Verified 6 …
    should pass the device information cookie to
    Access browser } the application domain.
    extension Forbid (principal, action, resource) when {
    7
    9 … The browser extension extracts the
    } 8 application domain from the redirect and
    Network Load
    11 adds it to the cache of trusted AVA domains.
    Balancer
    It sets the device information cookie on the
    4 application domain.

    3 The browser extension allows the redirect to


    9 continue.
    device agent Elastic network
    interface AVA receives a response with a user identity
    AWS IAM 10 cookie and device information cookie. For
    Identity Center each user request, AVA will validate the user
    request against the policy for the application
    using the identity of the user and device
    posture.

    Reviewed for technical accuracy February 22, 2023 AVA proxies validated requests to application
    © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Reference Architecture 11 endpoints in the customer VPC.
    Note: The local device agent is continuously

    AWS Verified Access Request Verification Flow


    gathering device posture information. The browser
    extension transmits up-to-date information for each
    request to an AVA-wrapped endpoint.
    With AWS IAM Identity Center and Device Trust Provider – After Initial
    Because the application domain is in the
    Request 1 browser extension application domain
    allow-list, the browser extension sets the
    device information cookie.
    Region When the user sends the initial request to
    2 the AVA endpoint, the identity cookie and
    device information cookie are included with
    user device AWS Verified Access VPC the request to the application domain.

    AVA receives a response with a user


    2 3 identity cookie and device information
    user browser policy document 3
    cookie. For each user request, AVA will
    validate the user request against the policy
    1 Permit (principal, action, resource) when { Application Load for the application using the identity of the
    Balancer user and device posture.
    AWS Verified …
    Access browser } AVA proxies validated requests to
    extension Forbid (principal, action, resource) when { 4 application endpoints in the customer VPC.

    } Network Load Note: The identity cookie will have a lifetime
    4
    Balancer associated with it. When that lifetime expires, a user
    will need to re-authenticate with IAM Identity
    Center.

    device agent Elastic network


    interface
    AWS IAM
    Identity Center

    Reviewed for technical accuracy February 22, 2023


    © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Reference Architecture

    You might also like