configuring-aws-verified-access-for-ztna

配置 AWS Verified Access,使用 Cedar 策略语言通过身份和设备态势验证,为内部应用程序提供无 VPN 的零信任网络访问(ZTNA)。

9 stars

Best use case

configuring-aws-verified-access-for-ztna is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

配置 AWS Verified Access,使用 Cedar 策略语言通过身份和设备态势验证,为内部应用程序提供无 VPN 的零信任网络访问(ZTNA)。

Teams using configuring-aws-verified-access-for-ztna should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/configuring-aws-verified-access-for-ztna/SKILL.md --create-dirs "https://raw.githubusercontent.com/killvxk/cybersecurity-skills-zh/main/skills/configuring-aws-verified-access-for-ztna/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/configuring-aws-verified-access-for-ztna/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How configuring-aws-verified-access-for-ztna Compares

Feature / Agentconfiguring-aws-verified-access-for-ztnaStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

配置 AWS Verified Access,使用 Cedar 策略语言通过身份和设备态势验证,为内部应用程序提供无 VPN 的零信任网络访问(ZTNA)。

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# 为 ZTNA 配置 AWS Verified Access

## 概述

AWS Verified Access 是一项零信任网络访问(ZTNA,Zero Trust Network Access)服务,为 AWS 中托管的企业应用程序提供安全的无 VPN 访问。它使用 Cedar 策略语言编写的精细化条件访问策略实时评估每个访问请求,确保仅在满足和维持特定安全要求(如用户身份和设备安全态势)时才按应用程序授予访问权限。Verified Access 与 AWS IAM Identity Center、第三方身份提供商(Okta、CrowdStrike、JumpCloud、Jamf)及设备管理解决方案集成。对于多账户部署,AWS Resource Access Manager(RAM)支持跨组织单元共享 Verified Access 组。

## 前置条件

- 具有适当 IAM 权限的 AWS 账户
- 身份提供商(AWS IAM Identity Center、Okta 或兼容 OIDC 的提供商)
- 设备信任提供商(CrowdStrike、Jamf、JumpCloud 或 AWS Verified Access 原生)
- 内部应用程序负载均衡器(ALB)或网络接口端点
- 了解 Cedar 策略语言
- 带有待保护应用程序工作负载的 VPC

## 架构

```
    终端用户(浏览器)
         |
         | HTTPS
         v
  +------+--------+
  | Verified      |
  | Access        |
  | 端点          |
  | (公共 DNS)    |
  +------+--------+
         |
  +------+--------+
  | Verified      |  <-- Cedar 访问策略
  | Access        |  <-- 身份提供商信号
  | 实例          |  <-- 设备信任信号
  | (策略         |
  |  评估)        |
  +------+--------+
         |
  +------+--------+
  | Verified      |
  | Access 组     |
  | (应用组)      |
  +------+--------+
         |
  +------+--------+
  | 内部 ALB      |
  | 或 ENI 目标   |
  +------+--------+
         |
  +------+--------+
  | 应用程序      |
  | (私有 VPC)    |
  +--------------+
```

## 核心组件

### Verified Access 实例

评估访问请求策略的区域实体。

```bash
# 通过 AWS CLI 创建 Verified Access 实例
aws ec2 create-verified-access-instance \
  --description "生产零信任实例" \
  --tag-specifications 'ResourceType=verified-access-instance,Tags=[{Key=Environment,Value=production}]'
```

### 信任提供商

#### 身份信任提供商(AWS IAM Identity Center)

```bash
# 创建身份信任提供商
aws ec2 create-verified-access-trust-provider \
  --trust-provider-type user \
  --user-trust-provider-type iam-identity-center \
  --policy-reference-name "idc" \
  --description "IAM Identity Center 信任提供商" \
  --tag-specifications 'ResourceType=verified-access-trust-provider,Tags=[{Key=Type,Value=identity}]'
```

#### 身份信任提供商(OIDC - Okta)

```bash
aws ec2 create-verified-access-trust-provider \
  --trust-provider-type user \
  --user-trust-provider-type oidc \
  --oidc-options '{
    "Issuer": "https://company.okta.com/oauth2/default",
    "AuthorizationEndpoint": "https://company.okta.com/oauth2/default/v1/authorize",
    "TokenEndpoint": "https://company.okta.com/oauth2/default/v1/token",
    "UserInfoEndpoint": "https://company.okta.com/oauth2/default/v1/userinfo",
    "ClientId": "0oa1234567890",
    "ClientSecret": "client-secret-here",
    "Scope": "openid profile groups"
  }' \
  --policy-reference-name "okta" \
  --description "Okta OIDC 信任提供商"
```

#### 设备信任提供商(CrowdStrike)

```bash
aws ec2 create-verified-access-trust-provider \
  --trust-provider-type device \
  --device-trust-provider-type crowdstrike \
  --device-options '{
    "TenantId": "crowdstrike-tenant-id",
    "PublicSigningKeyUrl": "https://api.crowdstrike.com/zero-trust/v2/certificates"
  }' \
  --policy-reference-name "crowdstrike" \
  --description "CrowdStrike 设备信任提供商"
```

### 将信任提供商附加到实例

```bash
# 附加身份提供商
aws ec2 attach-verified-access-trust-provider \
  --verified-access-instance-id vai-0123456789abcdef \
  --verified-access-trust-provider-id vatp-0123456789abcdef

# 附加设备提供商
aws ec2 attach-verified-access-trust-provider \
  --verified-access-instance-id vai-0123456789abcdef \
  --verified-access-trust-provider-id vatp-device123456
```

### Verified Access 组

```bash
# 为 Web 应用创建组
aws ec2 create-verified-access-group \
  --verified-access-instance-id vai-0123456789abcdef \
  --description "生产 Web 应用" \
  --policy-document 'permit(principal, action, resource)
    when {
      context.okta.groups.contains("production-access") &&
      context.crowdstrike.assessment.overall > 50
    };' \
  --tag-specifications 'ResourceType=verified-access-group,Tags=[{Key=Tier,Value=web}]'
```

### Verified Access 端点

```bash
# 为基于 ALB 的应用创建端点
aws ec2 create-verified-access-endpoint \
  --verified-access-group-id vag-0123456789abcdef \
  --endpoint-type load-balancer \
  --attachment-type vpc \
  --domain-certificate-arn arn:aws:acm:us-east-1:123456789012:certificate/xxxx \
  --application-domain app.internal.company.com \
  --endpoint-domain-prefix myapp \
  --load-balancer-options '{
    "LoadBalancerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/internal-alb/xxxx",
    "Port": 443,
    "Protocol": "https",
    "SubnetIds": ["subnet-abc123", "subnet-def456"]
  }' \
  --security-group-ids sg-0123456789abcdef \
  --description "内部人力资源应用"
```

## Cedar 策略语言

### 策略基础

```cedar
// 允许使用合规设备的工程组用户访问
permit(principal, action, resource)
when {
    context.okta.groups.contains("engineering") &&
    context.crowdstrike.assessment.overall > 70 &&
    context.crowdstrike.assessment.sensor_config.status == "active"
};

// 拒绝来自非托管设备的访问
forbid(principal, action, resource)
when {
    !context.crowdstrike.assessment.sensor_config.status == "active"
};
```

### 高级策略示例

```cedar
// 基于时间的访问 - 仅在工作时间(UTC)
permit(principal, action, resource)
when {
    context.okta.groups.contains("contractors") &&
    context.http_request.http_method == "GET" &&
    context.crowdstrike.assessment.overall > 80
};

// 将管理员访问限制为具有高设备信任的特定用户组
permit(principal, action, resource)
when {
    context.idc.groups.contains("admins") &&
    context.crowdstrike.assessment.overall > 90 &&
    context.crowdstrike.assessment.os_version.startswith("Windows 11") ||
    context.crowdstrike.assessment.os_version.startswith("macOS 14")
};

// 为较低信任级别允许只读访问
permit(principal, action, resource)
when {
    context.okta.groups.contains("read-only") &&
    context.crowdstrike.assessment.overall > 30 &&
    context.http_request.http_method == "GET"
};
```

### 组级别与端点级别策略

```cedar
// 组级别策略(适用于组中的所有端点)
// 在 Verified Access 组上设置
permit(principal, action, resource)
when {
    context.okta.groups.contains("employees") &&
    context.crowdstrike.assessment.overall > 50
};

// 端点级别策略(特定应用的额外限制)
// 在 Verified Access 端点上设置
permit(principal, action, resource)
when {
    context.okta.groups.contains("hr-team") &&
    context.okta.email.endsWith("@company.com")
};
```

## Terraform 配置

```hcl
terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

# Verified Access 实例
resource "aws_verifiedaccess_instance" "main" {
  description = "生产零信任访问"
  tags = {
    Environment = "production"
  }
}

# 身份信任提供商(OIDC)
resource "aws_verifiedaccess_trust_provider" "okta" {
  policy_reference_name    = "okta"
  trust_provider_type      = "user"
  user_trust_provider_type = "oidc"
  description              = "Okta 身份提供商"

  oidc_options {
    authorization_endpoint = "https://company.okta.com/oauth2/default/v1/authorize"
    client_id              = var.okta_client_id
    client_secret          = var.okta_client_secret
    issuer                 = "https://company.okta.com/oauth2/default"
    scope                  = "openid profile groups"
    token_endpoint         = "https://company.okta.com/oauth2/default/v1/token"
    user_info_endpoint     = "https://company.okta.com/oauth2/default/v1/userinfo"
  }
}

# 设备信任提供商(CrowdStrike)
resource "aws_verifiedaccess_trust_provider" "crowdstrike" {
  policy_reference_name     = "crowdstrike"
  trust_provider_type       = "device"
  device_trust_provider_type = "crowdstrike"
  description               = "CrowdStrike 设备信任"

  device_options {
    tenant_id = var.crowdstrike_tenant_id
  }
}

# 将提供商附加到实例
resource "aws_verifiedaccess_instance_trust_provider_attachment" "okta" {
  verifiedaccess_instance_id       = aws_verifiedaccess_instance.main.id
  verifiedaccess_trust_provider_id = aws_verifiedaccess_trust_provider.okta.id
}

resource "aws_verifiedaccess_instance_trust_provider_attachment" "crowdstrike" {
  verifiedaccess_instance_id       = aws_verifiedaccess_instance.main.id
  verifiedaccess_trust_provider_id = aws_verifiedaccess_trust_provider.crowdstrike.id
}

# Verified Access 组
resource "aws_verifiedaccess_group" "web_apps" {
  verifiedaccess_instance_id = aws_verifiedaccess_instance.main.id
  description                = "生产 Web 应用"

  policy_document = <<-CEDAR
    permit(principal, action, resource)
    when {
      context.okta.groups.contains("production-access") &&
      context.crowdstrike.assessment.overall > 50
    };
  CEDAR

  tags = {
    Tier = "web"
  }
}

# Verified Access 端点
resource "aws_verifiedaccess_endpoint" "internal_app" {
  verified_access_group_id = aws_verifiedaccess_group.web_apps.id
  endpoint_type            = "load-balancer"
  attachment_type          = "vpc"
  domain_certificate_arn   = aws_acm_certificate.app.arn
  application_domain       = "app.internal.company.com"
  endpoint_domain_prefix   = "myapp"
  description              = "内部应用"

  load_balancer_options {
    load_balancer_arn = aws_lb.internal.arn
    port              = 443
    protocol          = "https"
    subnet_ids        = var.private_subnet_ids
  }

  security_group_ids = [aws_security_group.verified_access.id]

  policy_document = <<-CEDAR
    permit(principal, action, resource)
    when {
      context.okta.groups.contains("app-users")
    };
  CEDAR
}

# 日志配置
resource "aws_verifiedaccess_instance_logging_configuration" "main" {
  verifiedaccess_instance_id = aws_verifiedaccess_instance.main.id

  access_logs {
    cloudwatch_logs {
      enabled   = true
      log_group = aws_cloudwatch_log_group.verified_access.name
    }
    s3 {
      enabled     = true
      bucket_name = aws_s3_bucket.access_logs.id
      prefix      = "verified-access/"
    }
  }
}

resource "aws_cloudwatch_log_group" "verified_access" {
  name              = "/aws/verified-access/production"
  retention_in_days = 90
}
```

## 使用 AWS RAM 进行多账户部署

```hcl
# 通过 RAM 在账户间共享 Verified Access 组
resource "aws_ram_resource_share" "verified_access" {
  name                      = "verified-access-share"
  allow_external_principals = false
}

resource "aws_ram_resource_association" "group_share" {
  resource_arn       = aws_verifiedaccess_group.web_apps.verified_access_group_arn
  resource_share_arn = aws_ram_resource_share.verified_access.arn
}

resource "aws_ram_principal_association" "workload_ou" {
  principal          = "arn:aws:organizations::123456789012:ou/o-xxxx/ou-xxxx-xxxxxxxx"
  resource_share_arn = aws_ram_resource_share.verified_access.arn
}
```

## 监控和日志

```bash
# 在 CloudWatch 中查询访问日志
aws logs filter-log-events \
  --log-group-name /aws/verified-access/production \
  --filter-pattern '{ $.status_code = "403" }' \
  --start-time $(date -d '1 hour ago' +%s000)

# 访问拒绝的 CloudWatch 告警
aws cloudwatch put-metric-alarm \
  --alarm-name "VerifiedAccess-HighDenialRate" \
  --metric-name "AccessDenied" \
  --namespace "AWS/VerifiedAccess" \
  --statistic Sum \
  --period 300 \
  --threshold 100 \
  --comparison-operator GreaterThanThreshold \
  --evaluation-periods 2 \
  --alarm-actions arn:aws:sns:us-east-1:123456789012:security-alerts
```

## 安全最佳实践

1. **分层策略**:使用组级策略进行广泛控制,端点级策略进行特定应用限制
2. **要求设备信任**:始终在 Cedar 策略中包含设备态势检查
3. **启用访问日志**:同时发送到 CloudWatch 和 S3,用于实时监控和长期保留
4. **多账户使用 RAM**:跨组织单元共享组,而非复制配置
5. **轮换 OIDC 密钥**:通过 Secrets Manager 自动化客户端密钥轮换
6. **在非生产环境测试策略**:在生产部署前验证 Cedar 策略
7. **设置高设备信任阈值**:要求生产访问的整体评分高于 70
8. **监控策略漂移**:使用 AWS Config 规则检测未授权更改

## 参考文档

- [AWS Verified Access 文档](https://docs.aws.amazon.com/verified-access/)
- [Cedar 策略语言](https://www.cedarpolicy.com/)
- [在多账户 AWS 环境中构建零信任访问](https://aws.amazon.com/blogs/networking-and-content-delivery/building-zero-trust-access-across-multi-account-aws-environments/)
- [NIST SP 800-207 零信任架构](https://csrc.nist.gov/publications/detail/sp/800-207/final)

Related Skills

testing-for-broken-access-control

9
from killvxk/cybersecurity-skills-zh

系统性测试 Web 应用程序中的访问控制缺陷,包括权限提升、缺失的功能级检查以及不安全的直接对象引用。

securing-remote-access-to-ot-environment

9
from killvxk/cybersecurity-skills-zh

本技能涵盖为操作员、工程师和供应商实施OT/ICS环境的安全远程访问,同时防止可能危害工业运营的未授权访问。涉及跳板服务器架构、多因素认证、会话记录、特权访问管理、供应商远程访问控制,以及符合IEC 62443和NERC CIP-005远程访问要求。

performing-privileged-account-access-review

9
from killvxk/cybersecurity-skills-zh

对特权账户进行系统性审查,验证访问权限,识别过多权限,并在 PAM 基础设施中执行最小权限原则。

performing-initial-access-with-evilginx3

9
from killvxk/cybersecurity-skills-zh

在红队演练中,使用 EvilGinx3 中间人(Adversary-in-the-Middle)钓鱼框架执行授权的初始访问,捕获会话令牌并绕过多因素认证(MFA)。

performing-credential-access-with-lazagne

9
from killvxk/cybersecurity-skills-zh

在授权红队行动中,使用 LaZagne 后渗透工具从已控制的终端提取存储的凭据,从浏览器、数据库、系统密钥库和应用程序中恢复密码。

performing-access-review-and-certification

9
from killvxk/cybersecurity-skills-zh

开展系统性的访问审查和认证,确保用户拥有与其角色相符的访问权限。涵盖审查活动设计、审查员选择、基于风险的优先级排序、微认证策略,以及满足 SOX、HIPAA 和 PCI DSS 要求的整改跟踪。

performing-access-recertification-with-saviynt

9
from killvxk/cybersecurity-skills-zh

在 Saviynt Enterprise Identity Cloud 中配置和执行访问重认证活动,以验证用户权限、撤销多余的访问权限,并维持对 SOX、SOC2 和 HIPAA 的合规性。

implementing-zero-trust-network-access

9
from killvxk/cybersecurity-skills-zh

通过配置身份感知代理、微分段、基于条件访问策略的持续验证,以及在 AWS、Azure 和 GCP 环境中以 BeyondCorp 风格的架构替代传统 VPN 访问,在云环境中实施零信任网络访问(ZTNA)。

implementing-zero-trust-network-access-with-zscaler

9
from killvxk/cybersecurity-skills-zh

使用 Zscaler 实施零信任网络访问(Zero Trust Network Access,ZTNA),通过 Zscaler Private Access(ZPA)配置应用分段、访问策略和连接器,替代传统 VPN 架构

implementing-privileged-access-workstation

9
from killvxk/cybersecurity-skills-zh

设计并实施特权访问工作站(PAW,Privileged Access Workstation),包括设备加固、即时访问(JIT)以及与 CyberArk 或 BeyondTrust 的集成,以保障安全的管理操作。

implementing-privileged-access-management-with-cyberark

9
from killvxk/cybersecurity-skills-zh

部署 CyberArk 特权访问管理,对企业基础设施中的特权凭据进行发现、保管、轮换和监控。涵盖保险库架构、会话隔离、凭据轮换策略,以及与 NIST 800-53 访问控制要求的集成。

implementing-pam-for-database-access

9
from killvxk/cybersecurity-skills-zh

为数据库系统(包括 Oracle、SQL Server、PostgreSQL 和 MySQL)部署特权访问管理。涵盖会话代理配置、凭据保管、查询审计、动态凭据生成和最小权限数据库角色。