4.3.3. Zero-Trust Network Access with Verified Access
First Principle: Traditional network access (VPN → private subnet → application) trusts anyone on the VPN network. AWS Verified Access eliminates this trust assumption by verifying identity AND device posture for every request — providing application-level access control without a VPN.
AWS Verified Access (new in C03):
- Provides secure access to corporate applications without a VPN
- Verifies user identity through IAM Identity Center or third-party IdPs
- Verifies device posture through third-party device management solutions (CrowdStrike, Jamf)
- Creates per-application access policies: who can access what, from which devices, under which conditions
- Access decisions are made per-request, not per-session
Verified Access vs. Traditional VPN:
| Aspect | Traditional VPN | Verified Access |
|---|---|---|
| Trust model | Trust the network | Trust nothing, verify everything |
| Access scope | Full network access once connected | Per-application access only |
| Device posture | Not checked (usually) | Verified per-request |
| Lateral movement risk | High (VPN grants broad network access) | Low (each app independently authorized) |
| User experience | VPN client required | Browser-based, no client needed |
⚠️ Exam Trap: Verified Access provides application-level zero-trust access. Client VPN provides network-level encrypted access. If a question describes providing access to specific internal applications without granting broad network access, Verified Access is the answer.
Scenario: A company wants remote employees to access an internal HR application without a VPN. They deploy Verified Access with IAM Identity Center for identity verification and CrowdStrike for device posture checks. Only authenticated users on managed, compliant devices can access the application.
Reflection Question: How does per-request identity and device verification fundamentally change the security model compared to VPN-based network access?
