configuring-aws-verified-access-for-ztna
配置 AWS Verified Access,使用 Cedar 策略语言通过身份和设备态势验证,为内部应用程序提供无 VPN 的零信任网络访问(ZTNA)。
Best use case
configuring-aws-verified-access-for-ztna is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
配置 AWS Verified Access,使用 Cedar 策略语言通过身份和设备态势验证,为内部应用程序提供无 VPN 的零信任网络访问(ZTNA)。
Teams using configuring-aws-verified-access-for-ztna should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/configuring-aws-verified-access-for-ztna/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How configuring-aws-verified-access-for-ztna Compares
| Feature / Agent | configuring-aws-verified-access-for-ztna | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
配置 AWS Verified Access,使用 Cedar 策略语言通过身份和设备态势验证,为内部应用程序提供无 VPN 的零信任网络访问(ZTNA)。
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# 为 ZTNA 配置 AWS Verified Access
## 概述
AWS Verified Access 是一项零信任网络访问(ZTNA,Zero Trust Network Access)服务,为 AWS 中托管的企业应用程序提供安全的无 VPN 访问。它使用 Cedar 策略语言编写的精细化条件访问策略实时评估每个访问请求,确保仅在满足和维持特定安全要求(如用户身份和设备安全态势)时才按应用程序授予访问权限。Verified Access 与 AWS IAM Identity Center、第三方身份提供商(Okta、CrowdStrike、JumpCloud、Jamf)及设备管理解决方案集成。对于多账户部署,AWS Resource Access Manager(RAM)支持跨组织单元共享 Verified Access 组。
## 前置条件
- 具有适当 IAM 权限的 AWS 账户
- 身份提供商(AWS IAM Identity Center、Okta 或兼容 OIDC 的提供商)
- 设备信任提供商(CrowdStrike、Jamf、JumpCloud 或 AWS Verified Access 原生)
- 内部应用程序负载均衡器(ALB)或网络接口端点
- 了解 Cedar 策略语言
- 带有待保护应用程序工作负载的 VPC
## 架构
```
终端用户(浏览器)
|
| HTTPS
v
+------+--------+
| Verified |
| Access |
| 端点 |
| (公共 DNS) |
+------+--------+
|
+------+--------+
| Verified | <-- Cedar 访问策略
| Access | <-- 身份提供商信号
| 实例 | <-- 设备信任信号
| (策略 |
| 评估) |
+------+--------+
|
+------+--------+
| Verified |
| Access 组 |
| (应用组) |
+------+--------+
|
+------+--------+
| 内部 ALB |
| 或 ENI 目标 |
+------+--------+
|
+------+--------+
| 应用程序 |
| (私有 VPC) |
+--------------+
```
## 核心组件
### Verified Access 实例
评估访问请求策略的区域实体。
```bash
# 通过 AWS CLI 创建 Verified Access 实例
aws ec2 create-verified-access-instance \
--description "生产零信任实例" \
--tag-specifications 'ResourceType=verified-access-instance,Tags=[{Key=Environment,Value=production}]'
```
### 信任提供商
#### 身份信任提供商(AWS IAM Identity Center)
```bash
# 创建身份信任提供商
aws ec2 create-verified-access-trust-provider \
--trust-provider-type user \
--user-trust-provider-type iam-identity-center \
--policy-reference-name "idc" \
--description "IAM Identity Center 信任提供商" \
--tag-specifications 'ResourceType=verified-access-trust-provider,Tags=[{Key=Type,Value=identity}]'
```
#### 身份信任提供商(OIDC - Okta)
```bash
aws ec2 create-verified-access-trust-provider \
--trust-provider-type user \
--user-trust-provider-type oidc \
--oidc-options '{
"Issuer": "https://company.okta.com/oauth2/default",
"AuthorizationEndpoint": "https://company.okta.com/oauth2/default/v1/authorize",
"TokenEndpoint": "https://company.okta.com/oauth2/default/v1/token",
"UserInfoEndpoint": "https://company.okta.com/oauth2/default/v1/userinfo",
"ClientId": "0oa1234567890",
"ClientSecret": "client-secret-here",
"Scope": "openid profile groups"
}' \
--policy-reference-name "okta" \
--description "Okta OIDC 信任提供商"
```
#### 设备信任提供商(CrowdStrike)
```bash
aws ec2 create-verified-access-trust-provider \
--trust-provider-type device \
--device-trust-provider-type crowdstrike \
--device-options '{
"TenantId": "crowdstrike-tenant-id",
"PublicSigningKeyUrl": "https://api.crowdstrike.com/zero-trust/v2/certificates"
}' \
--policy-reference-name "crowdstrike" \
--description "CrowdStrike 设备信任提供商"
```
### 将信任提供商附加到实例
```bash
# 附加身份提供商
aws ec2 attach-verified-access-trust-provider \
--verified-access-instance-id vai-0123456789abcdef \
--verified-access-trust-provider-id vatp-0123456789abcdef
# 附加设备提供商
aws ec2 attach-verified-access-trust-provider \
--verified-access-instance-id vai-0123456789abcdef \
--verified-access-trust-provider-id vatp-device123456
```
### Verified Access 组
```bash
# 为 Web 应用创建组
aws ec2 create-verified-access-group \
--verified-access-instance-id vai-0123456789abcdef \
--description "生产 Web 应用" \
--policy-document 'permit(principal, action, resource)
when {
context.okta.groups.contains("production-access") &&
context.crowdstrike.assessment.overall > 50
};' \
--tag-specifications 'ResourceType=verified-access-group,Tags=[{Key=Tier,Value=web}]'
```
### Verified Access 端点
```bash
# 为基于 ALB 的应用创建端点
aws ec2 create-verified-access-endpoint \
--verified-access-group-id vag-0123456789abcdef \
--endpoint-type load-balancer \
--attachment-type vpc \
--domain-certificate-arn arn:aws:acm:us-east-1:123456789012:certificate/xxxx \
--application-domain app.internal.company.com \
--endpoint-domain-prefix myapp \
--load-balancer-options '{
"LoadBalancerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/internal-alb/xxxx",
"Port": 443,
"Protocol": "https",
"SubnetIds": ["subnet-abc123", "subnet-def456"]
}' \
--security-group-ids sg-0123456789abcdef \
--description "内部人力资源应用"
```
## Cedar 策略语言
### 策略基础
```cedar
// 允许使用合规设备的工程组用户访问
permit(principal, action, resource)
when {
context.okta.groups.contains("engineering") &&
context.crowdstrike.assessment.overall > 70 &&
context.crowdstrike.assessment.sensor_config.status == "active"
};
// 拒绝来自非托管设备的访问
forbid(principal, action, resource)
when {
!context.crowdstrike.assessment.sensor_config.status == "active"
};
```
### 高级策略示例
```cedar
// 基于时间的访问 - 仅在工作时间(UTC)
permit(principal, action, resource)
when {
context.okta.groups.contains("contractors") &&
context.http_request.http_method == "GET" &&
context.crowdstrike.assessment.overall > 80
};
// 将管理员访问限制为具有高设备信任的特定用户组
permit(principal, action, resource)
when {
context.idc.groups.contains("admins") &&
context.crowdstrike.assessment.overall > 90 &&
context.crowdstrike.assessment.os_version.startswith("Windows 11") ||
context.crowdstrike.assessment.os_version.startswith("macOS 14")
};
// 为较低信任级别允许只读访问
permit(principal, action, resource)
when {
context.okta.groups.contains("read-only") &&
context.crowdstrike.assessment.overall > 30 &&
context.http_request.http_method == "GET"
};
```
### 组级别与端点级别策略
```cedar
// 组级别策略(适用于组中的所有端点)
// 在 Verified Access 组上设置
permit(principal, action, resource)
when {
context.okta.groups.contains("employees") &&
context.crowdstrike.assessment.overall > 50
};
// 端点级别策略(特定应用的额外限制)
// 在 Verified Access 端点上设置
permit(principal, action, resource)
when {
context.okta.groups.contains("hr-team") &&
context.okta.email.endsWith("@company.com")
};
```
## Terraform 配置
```hcl
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}
# Verified Access 实例
resource "aws_verifiedaccess_instance" "main" {
description = "生产零信任访问"
tags = {
Environment = "production"
}
}
# 身份信任提供商(OIDC)
resource "aws_verifiedaccess_trust_provider" "okta" {
policy_reference_name = "okta"
trust_provider_type = "user"
user_trust_provider_type = "oidc"
description = "Okta 身份提供商"
oidc_options {
authorization_endpoint = "https://company.okta.com/oauth2/default/v1/authorize"
client_id = var.okta_client_id
client_secret = var.okta_client_secret
issuer = "https://company.okta.com/oauth2/default"
scope = "openid profile groups"
token_endpoint = "https://company.okta.com/oauth2/default/v1/token"
user_info_endpoint = "https://company.okta.com/oauth2/default/v1/userinfo"
}
}
# 设备信任提供商(CrowdStrike)
resource "aws_verifiedaccess_trust_provider" "crowdstrike" {
policy_reference_name = "crowdstrike"
trust_provider_type = "device"
device_trust_provider_type = "crowdstrike"
description = "CrowdStrike 设备信任"
device_options {
tenant_id = var.crowdstrike_tenant_id
}
}
# 将提供商附加到实例
resource "aws_verifiedaccess_instance_trust_provider_attachment" "okta" {
verifiedaccess_instance_id = aws_verifiedaccess_instance.main.id
verifiedaccess_trust_provider_id = aws_verifiedaccess_trust_provider.okta.id
}
resource "aws_verifiedaccess_instance_trust_provider_attachment" "crowdstrike" {
verifiedaccess_instance_id = aws_verifiedaccess_instance.main.id
verifiedaccess_trust_provider_id = aws_verifiedaccess_trust_provider.crowdstrike.id
}
# Verified Access 组
resource "aws_verifiedaccess_group" "web_apps" {
verifiedaccess_instance_id = aws_verifiedaccess_instance.main.id
description = "生产 Web 应用"
policy_document = <<-CEDAR
permit(principal, action, resource)
when {
context.okta.groups.contains("production-access") &&
context.crowdstrike.assessment.overall > 50
};
CEDAR
tags = {
Tier = "web"
}
}
# Verified Access 端点
resource "aws_verifiedaccess_endpoint" "internal_app" {
verified_access_group_id = aws_verifiedaccess_group.web_apps.id
endpoint_type = "load-balancer"
attachment_type = "vpc"
domain_certificate_arn = aws_acm_certificate.app.arn
application_domain = "app.internal.company.com"
endpoint_domain_prefix = "myapp"
description = "内部应用"
load_balancer_options {
load_balancer_arn = aws_lb.internal.arn
port = 443
protocol = "https"
subnet_ids = var.private_subnet_ids
}
security_group_ids = [aws_security_group.verified_access.id]
policy_document = <<-CEDAR
permit(principal, action, resource)
when {
context.okta.groups.contains("app-users")
};
CEDAR
}
# 日志配置
resource "aws_verifiedaccess_instance_logging_configuration" "main" {
verifiedaccess_instance_id = aws_verifiedaccess_instance.main.id
access_logs {
cloudwatch_logs {
enabled = true
log_group = aws_cloudwatch_log_group.verified_access.name
}
s3 {
enabled = true
bucket_name = aws_s3_bucket.access_logs.id
prefix = "verified-access/"
}
}
}
resource "aws_cloudwatch_log_group" "verified_access" {
name = "/aws/verified-access/production"
retention_in_days = 90
}
```
## 使用 AWS RAM 进行多账户部署
```hcl
# 通过 RAM 在账户间共享 Verified Access 组
resource "aws_ram_resource_share" "verified_access" {
name = "verified-access-share"
allow_external_principals = false
}
resource "aws_ram_resource_association" "group_share" {
resource_arn = aws_verifiedaccess_group.web_apps.verified_access_group_arn
resource_share_arn = aws_ram_resource_share.verified_access.arn
}
resource "aws_ram_principal_association" "workload_ou" {
principal = "arn:aws:organizations::123456789012:ou/o-xxxx/ou-xxxx-xxxxxxxx"
resource_share_arn = aws_ram_resource_share.verified_access.arn
}
```
## 监控和日志
```bash
# 在 CloudWatch 中查询访问日志
aws logs filter-log-events \
--log-group-name /aws/verified-access/production \
--filter-pattern '{ $.status_code = "403" }' \
--start-time $(date -d '1 hour ago' +%s000)
# 访问拒绝的 CloudWatch 告警
aws cloudwatch put-metric-alarm \
--alarm-name "VerifiedAccess-HighDenialRate" \
--metric-name "AccessDenied" \
--namespace "AWS/VerifiedAccess" \
--statistic Sum \
--period 300 \
--threshold 100 \
--comparison-operator GreaterThanThreshold \
--evaluation-periods 2 \
--alarm-actions arn:aws:sns:us-east-1:123456789012:security-alerts
```
## 安全最佳实践
1. **分层策略**:使用组级策略进行广泛控制,端点级策略进行特定应用限制
2. **要求设备信任**:始终在 Cedar 策略中包含设备态势检查
3. **启用访问日志**:同时发送到 CloudWatch 和 S3,用于实时监控和长期保留
4. **多账户使用 RAM**:跨组织单元共享组,而非复制配置
5. **轮换 OIDC 密钥**:通过 Secrets Manager 自动化客户端密钥轮换
6. **在非生产环境测试策略**:在生产部署前验证 Cedar 策略
7. **设置高设备信任阈值**:要求生产访问的整体评分高于 70
8. **监控策略漂移**:使用 AWS Config 规则检测未授权更改
## 参考文档
- [AWS Verified Access 文档](https://docs.aws.amazon.com/verified-access/)
- [Cedar 策略语言](https://www.cedarpolicy.com/)
- [在多账户 AWS 环境中构建零信任访问](https://aws.amazon.com/blogs/networking-and-content-delivery/building-zero-trust-access-across-multi-account-aws-environments/)
- [NIST SP 800-207 零信任架构](https://csrc.nist.gov/publications/detail/sp/800-207/final)Related Skills
testing-for-broken-access-control
系统性测试 Web 应用程序中的访问控制缺陷,包括权限提升、缺失的功能级检查以及不安全的直接对象引用。
securing-remote-access-to-ot-environment
本技能涵盖为操作员、工程师和供应商实施OT/ICS环境的安全远程访问,同时防止可能危害工业运营的未授权访问。涉及跳板服务器架构、多因素认证、会话记录、特权访问管理、供应商远程访问控制,以及符合IEC 62443和NERC CIP-005远程访问要求。
performing-privileged-account-access-review
对特权账户进行系统性审查,验证访问权限,识别过多权限,并在 PAM 基础设施中执行最小权限原则。
performing-initial-access-with-evilginx3
在红队演练中,使用 EvilGinx3 中间人(Adversary-in-the-Middle)钓鱼框架执行授权的初始访问,捕获会话令牌并绕过多因素认证(MFA)。
performing-credential-access-with-lazagne
在授权红队行动中,使用 LaZagne 后渗透工具从已控制的终端提取存储的凭据,从浏览器、数据库、系统密钥库和应用程序中恢复密码。
performing-access-review-and-certification
开展系统性的访问审查和认证,确保用户拥有与其角色相符的访问权限。涵盖审查活动设计、审查员选择、基于风险的优先级排序、微认证策略,以及满足 SOX、HIPAA 和 PCI DSS 要求的整改跟踪。
performing-access-recertification-with-saviynt
在 Saviynt Enterprise Identity Cloud 中配置和执行访问重认证活动,以验证用户权限、撤销多余的访问权限,并维持对 SOX、SOC2 和 HIPAA 的合规性。
implementing-zero-trust-network-access
通过配置身份感知代理、微分段、基于条件访问策略的持续验证,以及在 AWS、Azure 和 GCP 环境中以 BeyondCorp 风格的架构替代传统 VPN 访问,在云环境中实施零信任网络访问(ZTNA)。
implementing-zero-trust-network-access-with-zscaler
使用 Zscaler 实施零信任网络访问(Zero Trust Network Access,ZTNA),通过 Zscaler Private Access(ZPA)配置应用分段、访问策略和连接器,替代传统 VPN 架构
implementing-privileged-access-workstation
设计并实施特权访问工作站(PAW,Privileged Access Workstation),包括设备加固、即时访问(JIT)以及与 CyberArk 或 BeyondTrust 的集成,以保障安全的管理操作。
implementing-privileged-access-management-with-cyberark
部署 CyberArk 特权访问管理,对企业基础设施中的特权凭据进行发现、保管、轮换和监控。涵盖保险库架构、会话隔离、凭据轮换策略,以及与 NIST 800-53 访问控制要求的集成。
implementing-pam-for-database-access
为数据库系统(包括 Oracle、SQL Server、PostgreSQL 和 MySQL)部署特权访问管理。涵盖会话代理配置、凭据保管、查询审计、动态凭据生成和最小权限数据库角色。