Default context for Verified Access trust data
AWS Verified Access includes some elements about the current request by default in all Cedar evaluations regardless of your configured trust providers. You can write a policy that evaluates against the data if you choose.
The following are examples of the data that is included in the evaluation.
Examples
HTTP request
When a policy is evaluated, Verified Access includes data about the current HTTP request in the
Cedar context under the context.http_request
key.
{
"title": "HTTP Request data included by Verified Access",
"type": "object",
"properties": {
"user_agent": {
"type": "string",
"description": "The value of the User-Agent request header"
},
"x_forwarded_for": {
"type": "string",
"description": "The value of the X-Forwarded-For request header"
},
"http_method": {
"type": "string",
"description": "The HTTP method (for example, GET or POST)"
},
"hostname": {
"type": "string",
"description": "The value of the Host request header"
},
"port": {
"type": "integer",
"description": "The endpoint port"
},
"client_ip": {
"type": "string",
"description": "The IP address connecting to the endpoint"
}
}
}
Policy example
The following is an example Cedar policy that uses the HTTP request data.
forbid(principal, action, resource) when {
context.http_request.http_method == "POST"
&& !(context.identity.roles.contains("Administrator"))
};
TCP flow
When a policy is evaluated, Verified Access includes data about the current TCP flow in the
Cedar context under the context.tcp_flow
key.
{
"title": "TCP flow data included by Verified Access",
"type": "object",
"properties": {
"destination_ip": {
"type": "string",
"description": "The IP address of the target"
},
"destination_port": {
"type": "string",
"description": "The target port"
},
"client_ip": {
"type": "string",
"description": "The IP address connecting to the endpoint"
}
}
}