AWS has expanded its Verified Access service to support resources that connect over TCP, SSH, and RDP protocols, marking a significant advancement in secure access management. This expansion addresses a common challenge in enterprise environments: providing secure access to both web and non-web applications without relying on traditional VPN infrastructure.
The new capabilities allow organizations to manage access to databases, SAP systems, and git repositories running on EC2 instances through the same interface they use for web applications. This unified approach brings zero trust principles to a broader range of corporate resources, removing the complexity of maintaining separate solutions for different types of applications.
Security administrators can now define access policies based on both user identity and device posture across their entire application portfolio. The service continuously monitors active connections, validating security requirements throughout each session. When a connection fails to meet the specified security requirements, Verified Access automatically terminates it, maintaining consistent security enforcement.
AWS Verified Access pricing follows a straightforward usage-based model with no upfront commitments or minimum fees. The service charges based on two primary dimensions for HTTP(S) applications: hourly charges for associated applications and per-gigabyte charges for processed data. Each application associated with an active HTTP(S) Verified Access endpoint incurs charges per hour, with partial hours billed as full hours.
The service integrates with AWS IAM Identity Center as a trust provider, enabling organizations to leverage their existing identity management infrastructure. Administrators can configure the system through a step-by-step process that includes creating trust providers, instances, groups, and endpoints. These components work together to provide granular access control.
Security groups control access to applications, with the system allowing all inbound traffic from the VPC CIDR and outbound traffic as needed. The service requires TLS certificates managed through AWS Certificate Manager, supporting RSA certificates with key lengths of 1,024 or 2,048 bits. For DNS configuration, the service generates unique endpoint domains that administrators can map to their application domains using CNAME records.
Verified Access endpoints can be configured with specific protocols, attachment types, and ports. When setting up an endpoint, administrators can select VPC attachments and load balancer configurations, choosing appropriate security groups and subnets to manage traffic flow between components.
The expansion of Verified Access simplifies security operations by providing a single interface for managing access policies across all corporate resources. Security teams can now centrally create, group, and manage access policies for applications with similar security requirements, regardless of their underlying protocols.
This centralized approach manifests in practical ways. For example, database administrators can receive access to production databases only when they meet specific authentication and device compliance requirements. These policies remain consistent and automatically enforced, reducing the operational overhead of maintaining separate access control systems for different types of resources.
The service provides enhanced observability through comprehensive logging of access attempts. This logging capability enables security teams to respond efficiently to both security and connectivity incidents. By maintaining continuous monitoring of active connections, the system can quickly respond to changes in security status, automatically terminating connections that no longer meet policy requirements.
The implementation process follows a structured approach, beginning with trust provider configuration and proceeding through instance creation, group definition, and endpoint setup. This systematic process helps organizations maintain security consistency while deploying access controls. The service supports both user and device trust providers, allowing organizations to incorporate multiple security factors into their access decisions.
AWS has made Verified Access available across 18 regions, providing broad geographic coverage for organizations with distributed operations. The service operates in major AWS regions including US East (Ohio), US East (Northern Virginia), US West (N California), US West (Oregon), and extends through multiple regions in Asia Pacific, Europe, and South America, as well as Canada Central and Israel (Tel Aviv).
Implementation follows a defined path that starts with establishing prerequisites. Organizations need to enable AWS IAM Identity Center in their chosen region and prepare their security infrastructure, including security groups and TLS certificates. The service requires certificates managed through AWS Certificate Manager, and organizations must have a public hosted domain with the necessary permissions to update DNS records.
Setting up the service involves creating trust providers, instances, groups, and endpoints. Each component serves a specific purpose in the security architecture. Trust providers handle identity verification, instances manage the overall service configuration, groups organize access policies, and endpoints represent the connection points for applications.
The final implementation step involves DNS configuration, where organizations map their application domains to Verified Access endpoint domains. This mapping uses CNAME records, ensuring that all user requests route through the Verified Access service for proper security evaluation.
The expansion of AWS Verified Access to support non-HTTP protocols addresses a fundamental challenge in securing corporate resources. By bringing TCP, SSH, and RDP protocols under the same security umbrella as web applications, organizations can implement consistent access controls across their entire application portfolio without maintaining separate VPN infrastructure.
The service’s usage-based pricing model, with charges based on application hours and data processing, allows organizations to align costs with actual usage. The broad regional availability across 18 AWS regions provides flexibility in deployment options, while integration with AWS IAM Identity Center enables organizations to leverage their existing identity management infrastructure.
The implementation path, from trust provider configuration through endpoint setup, provides a systematic approach to deploying zero trust access controls. The continuous monitoring of connections and automatic policy enforcement helps maintain security consistency, while comprehensive logging supports efficient incident response.
Organizations interested in implementing these capabilities can access the service through the AWS Management Console, with supporting documentation and tools available to guide the deployment process. The service requires minimal prerequisites, primarily centered around identity management configuration and certificate preparation.