Default context for Verified Access trust data - AWS Verified Access

Default context for Verified Access trust data

AWS Verified Access includes some elements about the current request by default in all Cedar evaluations regardless of your configured trust providers. You can write a policy that evaluates against the data if you choose.

The following are examples of the data that is included in the evaluation.

HTTP request

When a policy is evaluated, Verified Access includes data about the current HTTP request in the Cedar context under the context.http_request key.

{ "title": "HTTP Request data included by Verified Access", "type": "object", "properties": { "user_agent": { "type": "string", "description": "The value of the User-Agent request header" }, "x_forwarded_for": { "type": "string", "description": "The value of the X-Forwarded-For request header" }, "http_method": { "type": "string", "description": "The HTTP method (for example, GET or POST)" }, "hostname": { "type": "string", "description": "The value of the Host request header" }, "port": { "type": "integer", "description": "The endpoint port" }, "client_ip": { "type": "string", "description": "The IP address connecting to the endpoint" } } }
Policy example

The following is an example Cedar policy that uses the HTTP request data.

forbid(principal, action, resource) when { context.http_request.http_method == "POST" && !(context.identity.roles.contains("Administrator")) };

TCP flow

When a policy is evaluated, Verified Access includes data about the current TCP flow in the Cedar context under the context.tcp_flow key.

{ "title": "TCP flow data included by Verified Access", "type": "object", "properties": { "destination_ip": { "type": "string", "description": "The IP address of the target" }, "destination_port": { "type": "string", "description": "The target port" }, "client_ip": { "type": "string", "description": "The IP address connecting to the endpoint" } } }