Zero trust on AWS

Advancing your security model with a zero trust approach

What is zero trust on AWS?

Zero trust is a security model centered on the idea that access to data should not be solely made based on network location. It requires users and systems to strongly prove their identities and trustworthiness, and enforces fine-grained identity-based authorization rules before allowing them to access applications, data, and other systems. With zero trust, these identities often operate within highly flexible identity-aware networks that further reduce surface area, eliminate unneeded pathways to data, and provide straightforward outer security guardrails. 

Building a zero trust architecture on AWS

Moving to a zero trust security model starts with evaluating your workload portfolio and determining where the enhanced flexibility and security of zero trust would provide the greatest benefits. Then, you’ll apply zero trust concepts - rethinking identity, authentication,  and other context indicators such as device state and health – in order to make real and meaningful security improvements over the status quo. To help you on this journey, a number of AWS identity and networking services provide core zero trust building blocks as standard features that can be applied to both new and existing workloads. 

Benefits

A zero trust security model can provide your users with secure access to applications and resources based on trust factors like identity and device posture.

By eliminating unnecessary communication pathways, you are applying least privilege principles to better protect critical data. 

To help raise the bar on security further, zero trust allows IT teams to make increasingly granular, continuous, and adaptive access control decisions that incorporate a wide range of contexts—including identity, device, and behavior.

Explore use cases

When two components don’t need to communicate, they shouldn’t be able to, even when residing within the same network segment. You can accomplish this by authorizing specific flows between the components. Depending on the nature of the systems, you can construct these architectures through simplified and automated service-to-service connectivity with embedded authentication and authorization using Amazon VPC Lattice, dynamic micro-perimeters built using Security Groups, request signing through Amazon API Gateway, and more. 

The modern workforce requires access to their business applications from anywhere without compromising security. You can accomplish this with AWS Verified Access. This allows you to provide secure access to corporate applications without a VPN. Easily connect your existing identity provider (IdP) and device management service and use access policies to tightly control application access while delivering a seamless user experience and improving security posture. You can also accomplish this with services like the Amazon WorkSpaces Family or Amazon AppStream 2.0, which stream applications as encrypted pixels to remote users while keeping data safely within your Amazon VPC and any connected private networks.

Digital transformation projects often connect sensors, controllers, and cloud-based processing and insights, all operating entirely outside of the traditional enterprise network. To keep your critical IoT infrastructure protected, the family of AWS IoT services can provide end-to-end security over open networks, with device authentication and authorization offered as standard features.