Grant access to a group in IAM Identity Center Grant access to a group in a third-party provider Grant access using CrowdStrike Allow or deny a specific IP address

Verified Access example policies

You can use Verified Access policies to grant access to your applications to specific users and devices.

Example policies

Example 1: Grant access to a group in IAM Identity Center
Example 2: Grant access to a group in a third-party provider
Example 3: Grant access using CrowdStrike
Example 4: Allow or deny a specific IP address

Example 1: Grant access to a group in IAM Identity Center

When using AWS IAM Identity Center, it is better to refer to groups by using their IDs. This helps to avoid breaking a policy statement if you change the name of the group.

The following example policy allows access only to users in the specified group with a verified email address. The group ID is c242c5b0-6081-1845-6fa8-6e0d9513c107.


permit(principal,action,resource)
when {
    context.policy-reference-name.groups has "c242c5b0-6081-1845-6fa8-6e0d9513c107"
    && context.policy-reference-name.user.email.verified == true
};

The following example policy allows access only when the user is in the specified group, the user has a verified email address, and the Jamf device risk score is LOW.


permit(principal,action,resource)
when {
    context.policy-reference-name.groups has "c242c5b0-6081-1845-6fa8-6e0d9513c107"
    && context.policy-reference-name.user.email.verified == true
    && context.jamf.risk == "LOW"
};

For more information about the trust data, see AWS IAM Identity Center context for Verified Access trust data.

Example 2: Grant access to a group in a third-party provider

The following example policy allows access only when the user is in the specified group, the user has a verified email address, and the Jamf device risk score is LOW. The name of the group is "finance".


permit(principal,action,resource)
when {
     context.policy-reference-name.groups.contains("finance") 
     && context.policy-reference-name.email_verified == true
     && context.jamf.risk == "LOW"
};

For more information about the trust data, see Third-party trust provider context for Verified Access trust data.

Example 3: Grant access using CrowdStrike

The following example policy allows access when the overall assessment score is greater than 50.


permit(principal,action,resource)
when {
    context.crwd.assessment.overall > 50 
};

Example 4: Allow or deny a specific IP address

The following example policy allows requests only from the specified IP address.


permit(principal, action, resource) 
when {
    context.http_request.client_ip == "192.0.2.1"
};

The following example policy denies requests from the specified IP address.


forbid(principal,action,resource) 
when { 
    ip(context.http_request.client_ip).isInRange(ip("192.0.2.1/32")) 
};

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Policy logic short circuit

Policy assistant