Insights from an AWS Verified Access Security Assessment

Organizations must continuously evaluate their access control mechanisms to ensure secure and reliable access to their applications. AWS Verified Access (AVA) allows for the implementation of context-aware, zero-trust access to applications without requiring a VPN. However, as with any security solution, its effectiveness depends heavily on proper configuration and alignment with security best practices.

Recently, GuidePoint Security conducted a comprehensive security assessment of an AVA implementation. This client had already deployed the service and wanted to ensure their implementation followed security best practices to minimize the risk of compromise. This article shares key insights from the assessment and highlights important considerations for organizations already using or planning to implement AVA.

AWS Verified Access: A Native Solution for Zero Trust on AWS

While there are many great third-party solutions that provide zero trust to corporate applications, this article focuses specifically on AWS Verified Access. It is written for organizations that want to implement zero trust access solutions within their AWS environment. The tight integration with AWS services and the ability to leverage existing native security tools makes AVA an attractive option for these organizations.

Built on zero trust security principles, AVA represents a significant advancement in securing applications hosted on premises or in the cloud. The service enables organizations to move beyond traditional VPN-based approaches that often. VPNs often rely on siloed security policies managed by different teams, which can create overlaps and complicate access issue diagnosis. Instead, AVA validates each application request before granting access, regardless of user or network location, while continuously adapting the security posture based on changing conditions.

Why AWS Verified Access?

Organizations typically choose AWS Verified Access for the following benefits:

• It’s a native, pay-as-you-go, consumption-based service with no upfront commitment or minimum fees.
• It provides secure access to corporate applications without the need for a VPN.
• It supports non-HTTP resources (e.g., SSH, RDS and TCP).
• It also secures access to on-premises applications.

With AVA, Security Administrators gain a single configuration point to manage and enforce security policies, while maintaining compatibility with existing identity providers and device trust providers. For end users, the elimination of VPN clients represents a significant user experience improvement. With AVA, access to internal web applications is granted through a simple web browser connection after users and their devices have been properly identified and verified.

The versatility of AWS Verified Access extends beyond cloud-hosted applications (Figure 1). Organizations can use AVA to securely connect to non-HTTP resources like RDS databases (Figure 2). This flexibility allows businesses at any stage of their cloud journey to implement zero trust security principles without capital expenses for hardware purchases or licensing related costs. 

AWS Verified Access also supports applications running on-premises (See Figure 3) or deployed on other cloud platforms if there’s connectivity from AWS to the on-premises network via VPN or Direct Connect.  This helps avoid expenses related to hardware purchases or licensing costs.

Given the above listed  capabilities, an AWS Verified Access security assessment ensures that an organization’s implementation maximizes the benefits of the service while avoiding common security pitfalls.

In this example, we uncovered several areas where even experienced cloud architecture and engineering teams can inadvertently introduce security gaps. This highlights the importance of comprehensive evaluation in accordance with security best practices.

Key Security Considerations Identified During our Assessment

Before deploying AWS Verified Access, organizations should confirm certain tools are supported. Specifically, enterprise Mobile Device Management (MDM), Endpoint Detection and Response (EDR), or Extended Detection and Response (XDR) solutions. Device trust is a key part of AVA that helps ensure that only compliant devices can access protected applications. AVA currently supports device trust integrations with CrowdStrike, Jamf, and JumpCloud. Verifying compatibility early helps avoid delays and ensures full use of AVA risk-based access controls.

Our assessment revealed several critical areas that organizations should carefully evaluate when implementing AWS Verified Access:

• Authentication Strategy Completeness: A robust authentication strategy should leverage multiple signals for access decisions. Our assessment found that device trust verification, a crucial component for risk-based authentication, was missing from the implementation. This gap limited the client’s decision-making based on device trustworthiness, a key factor in zero trust architectures.

• Privilege Management: Excessive privileges represent one of the most common security risks in cloud environments. We identified that the AWS Verified Access application was operating with highly privileged account access. This violates the principle of least privilege and potentially increasing the attack surface.

• Location-Based Controls: Geographic access restrictions can be powerful security mechanisms when properly implemented. Our assessment revealed that the client’s geolocation controls were not sufficiently scoped to prevent access by unauthorized regions or users.

• Encryption Key Management: Protection of sensitive data requires careful management of encryption keys. We provided specific recommendations for implementing encryption key best practices to better protect application resources protected through AWS Verified Access. 

• Security Group Configuration: Effective security groups are fundamental to AWS network security. Our assessment uncovered instances where security groups for AWS Verified Access protected application infrastructure were improperly configured, allowing unintended traffic from the internet.

• Network Controls: Sensitive workloads demand a layered security approach. Without defense-in-depth, the failure of any one control can expose critical assets. GuidePoint identified that network access control lists (NACLs) were not properly configured as additional layers of defense beyond security groups. The finding highlighted gaps in the client’s defense-in-depth strategy.

• Operational Resilience: Our assessment revealed insufficient implementation of controls that ensure continuous operation during cyberattacks or technical disruptions. Implementing redundancy and recovery mechanisms is crucial for maintaining availability.

• IAM Credential Protection: Server-side request forgery (SSRF) attacks remain a significant threat to cloud environments. We found that EC2 instances hosting AWS Verified Access protected applications lacked sufficient controls to mitigate the risk of attackers stealing IAM credentials through SSRF attacks.

• Visibility Gap in Security Operations: Our assessment also identified a critical gap in the client’s security monitoring strategy. There was insufficient monitoring and alerting for critical AWS Verified Access actions that would allow suspicious activities to go undetected. This visibility gap could significantly delay incident response in case of a security breach or unauthorized access attempts. The finding identified the need for comprehensive logging and real-time alerting for all AVA-related activities.

The Case for a Security Assessment

The findings from our assessment demonstrate why even well-designed AWS Verified Access implementations benefit from independent security assessments. Without GuidePoint’s assessment of the client’s implementation, many of these risks could have remained unidentified. This could have left them vulnerable to exploitation, increasing the likelihood of a breach, service disruption, and potential financial impact.

GuidePoint’s methodology combines automated scanning with expert manual account reviews. With a complete understanding the client’s context and use cases, GuidePoint uncovers security gaps that automated tools alone might miss. This approach allowed us to validate findings, giving the client confidence in the assessment results and our recommended remediation strategies.

AWS Verified Access is a significant advancement in securing access to applications. However, realizing its full security potential requires understanding the possible attack paths and securely implementing identity and policy controls. Organizations using or planning to use this tool should consider a comprehensive security assessment. By identifying potential gaps and aligning with security best practices, organizations get the maximum benefit of AVA. 

Ready for an Evaluation?

Contact us today to see if your AWS Verified Access implementation is secured, or if it’s leaving you vulnerable to an attack.