Professional Documents
Culture Documents
AWS Verified Access 2. With AWS IAM Identity Center – After Initial Request
Request Verification Flow 3. With AWS IAM Identity Center and Device Trust Provider – Initial Request
4. With AWS IAM Identity Center and Device Trust Provider – After Initial Request
user device AWS Verified Access VPC IAM Identity Center redirects the user to
4 the application domain to validate the
identity token.
user browser 1 policy document 7 The browser sends the application domain
5 endpoint the IAM Identity Center token,
2 which AVA uses to set the user identity
5 Permit (principal, action, resource) when { Application Load cookie.
… Balancer
6
} AVA redirects the user with the user
Forbid (principal, action, resource) when { 6 identity cookie to the original URI.
…
AVA receives the request with the user
} Network Load 7
8 identity cookie. For each user request, AVA
Balancer will validate the user request against the
4 policy for the application using the identity
of the user.
3
AVA proxies validated requests to
Elastic network 8 application endpoints in the customer
interface virtual private cloud (VPC).
AWS IAM
Identity Center
user device AWS Verified Access VPC Note: The identity cookie will have a lifetime
associated with it. When that lifetime expires, the
user will need to re-authenticate with IAM Identity
user browser 1 policy document 2
Center.
Elastic network
interface
AWS IAM
Identity Center
user device AWS Verified Access When AVA expects device information but
VPC
does not receive it, it redirects the user to the
device validation domain. AVA will repeat
steps 3-6, but IAM Identity Center will
user browser 1 policy document 10 bypass sign-in as cookies from previous sign-
2 in are found.
8 5
Permit (principal, action, resource) when { Application Load The device validation domain sends a 302
Balancer 7 redirect. This tells the browser extension it
AWS Verified 6 …
should pass the device information cookie to
Access browser } the application domain.
extension Forbid (principal, action, resource) when {
7
9 … The browser extension extracts the
} 8 application domain from the redirect and
Network Load
11 adds it to the cache of trusted AVA domains.
Balancer
It sets the device information cookie on the
4 application domain.
Reviewed for technical accuracy February 22, 2023 AVA proxies validated requests to application
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Reference Architecture 11 endpoints in the customer VPC.
Note: The local device agent is continuously