Verified Access default context

AWS Verified Access includes some elements about the current HTTP request by default in all Cedar evaluations regardless of your configured trust providers. When a policy is evaluated, Verified Access includes data about the current HTTP request in the Cedar context under the context.http_request key. You can write a policy that evaluates against the data if you choose. The following JSON schema shows which data is included in the evaluation.


{
     "title": "HTTP Request data included by Verified Access",
     "type": "object",
     "properties": {
         "user_agent": {
             "type": "string",
             "description": "The value of the User-Agent request header"
         },
         "x_forwarded_for": {
             "type": "string",
             "description": "The value of the X-Forwarded-For request header"
         },
         "http_method": {
             "type": "string",
             "description": "The HTTP Method provided (e.g. GET or POST)"
         },
         "hostname": {
             "type": "string",
             "description": "The value of the Host request header"
         },
         "port": { 
            "type": "integer",
            "description": "The value of the verified access endpoint port"
         },
         "client_ip": {
             "type": "string",
             "description": "User ip connecting to the verified access endpoint"
         }
     }
 }

The following is an example of a policy that evaluates against the HTTP request data.


forbid(principal, action, resource) when {
   context.http_request.http_method == "POST"
   && !(context.identity.roles.contains("Administrator"))
 };

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Trust data from trust providers

AWS IAM Identity Center