Cloud Networking as Code Blog

aws-verified access-alpha. VPN-less application Access with CDK.

by

mrpackethead
in

What? Another Blog here about doing things with CDK. Well this ones not so much a blog as a set of instructions. I’ll leave the opinions to someone.

AWS says. “Built on Zero Trust guiding principles, AWS Verified Access validates every application request before granting access. Verified Access removes the need for a VPN, which simplifies the remote connectivity experience for end users and reduces the management complexity for IT administrators.”

Ok. Well Sorta AWS. If you only do Web based stuff its a good story. If you’ve still got legacy apps, that do the Layer 4, IP thing. Then sorry, this isn’t for you, or maybe its not for *ALL* of your organization.

If I’m perfectly honest here, I’m still learning how verified access works. There is quite a bit to it, and I’ve only just started to get my head into it enough, and this is very much a work in progress. But its a working work in progress, and worth sharing.

I’m not going to try to explain Verified Access here. There are some good resources online; heres a few good ones.

AWS re:Invent 2022 – [NEW] Introducing AWS Verified Access: Secure connections to your apps (NET214) – YouTube
What is AWS Verified Access? – AWS Verified Access (amazon.com)

What I am going to do is provide you with enough information to deploy Verified Access using CDK, with the start of a cdk construct that I’ve created. Sorry this is just in typescript at the moment, but if you feel like it you can do it in python as the construct is also published in python at constructs.dev


Prerequistes.

  • A environment from which you can edit and deploy a cdk application from.
  • Two AWS accounts that you have access to. We’ll call these the ‘identity’ and the ‘application’ accounts. And set up with Organizations. These should also be bootstrapped.
  • A working domain name. we’ll refer to this domain as ‘example.org’, please substitute this as we worth through things.


Initial Setup:

in the application account create an external route53 zone for ‘va.example.org’ You will need to set up delegation for zone. Record the ZoneId to use a little later.

If you don’t have IAM Identity center set up in your identity center, follow these instructions.
In IAM identity center we will need to create groups and users.

Create Groups

For this example we will create two groups: redgroup and yellowgroup.

  1. Navigate to the IAM Identity Center Console .
  2. Choose Groups and click Create Group.
  3. On the Create group page:
    • For Group Name, enter redgroup.
    • For Description, enter The Red Group.
    • Click Create group.
  4. A green banner will appear indicating that the redgroup group was successfully created.
  5. Copy the Group ID value and save it in a text editor. You’ll use this value when defining the Verified Access policy in a later section.

Repeat the above Steps 1-5 within the Create Groups section to create the yellowgroup group.

Create Users

For this workshop we will create three users: redyellow and blue.

  1. Navigate to the IAM Identity Center Console .
  2. Choose Users and click Add User.
  3. On the Add User page:
    • For Username, enter red.
    • For Password, choose the Generate a one-time password that you can share with the user radio button.
    • (Note: For this example, we do not need the email to be validated)
    • Provide a First name.
    • Provide a Last name.
    • Leave Display name as entered.
    • Click Next (feel free to explore the optional fields).
  4. In the Add users to groups – optional page:
    • Choose the red Group.
    • Click Next.
  5. In the Review and add user page:
    • Review the information provided in the previous steps.
    • Click Add user.
  6. A pop-up window will appear with One-time password. Copy the information using the Copy button and save it for later in the example.

Follow the above Steps 1-6 within the Create Users section to create yellow adding them to the yellow group. Then repeat for the blue user, adding the blue user to both the red and yellow groups.


Clone and Deploy CDK stacks.

From your cdk development environment.

clone https://github.com/raindancers/verifiedaccess_demo.git
cd verifiedaccess_demo
npm install


edit bin/va.ts

On lines 5-13 modify to reflect your identity and application accounts.
on lines 24-25, edit to use the the groupId’s for the redgroup and yellowgroup
on lines 32,33 add the ZoneID and domain name for the R53 zone you configured.

Synth and Deploy. This is a multi account deployment. In a production environment this would likely be setup up some kind of CI/CD pipeline. The stacks are dependant on each other. So, wait till the first one is deployed. The AppStack will take some time to deploy, it took about 1100secs in ap-southeast-2.

cdk synth --profile <applicationaccountprofile>
cdk deploy VerifiedAccess --profile <identityaccountprofile>
cdk deploy AppStack --profile <applicationaccountprofile>


Once its deployed, open your web browser and open the url:

https://red.va.example.org

You should be redirected to a login page. Use the username and passwords you set up earlier.. Try out the differnet combinations. You should find that the the red user can log into https://red.va.example.org/red but not https://yellow.va.example.org. the yellow user can do the reverse and the blue user can log into both.

The application in this demo, is just a a fixed response from an ALB, but it serves the purpose of demonstrating verified identity.
From here, try creating different policys and perhaps put a real application behind the loadbalancers.

More coming soon.



Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.