Third-party trust providers
This section describes the trust data provided to AWS Verified Access by third-party trust providers.
Note
The context key for your trust provider comes from the policy reference name that you configure when you create the trust provider. For example, if you configure the policy reference name as "idp123", the context key will be "context.idp123". Ensure you are using the correct context key when you create the policy.
Contents
Browser extension
If you plan to use device trust data in your access policy evaluation, then you will need the AWS Verified Access browser extension. Verified Access currently supports Google Chrome and Mozilla Firefox browsers.
We currently support two device trust providers: Jamf (which supports macOS devices) and CrowdStrike (which supports Windows 11 and Windows 10 devices).
-
If you're using Jamf trust data in your policies, your users must download and install the AWS Verified Access browser extension from the Chrome web store
or Firefox Add-on site on their devices. -
If you are using CrowdStrike trust data in your policies, first your users need to install the AWS Verified Access Native Messaging Host
(direct download link). This component is required to get the trust data from the CrowdStrike agent running on users’ devices. Then, after installing this component, users must install the AWS Verified Access browser extension from the Chrome web store or Firefox Add-on site on their devices.
Jamf
Jamf is a third-party trust provider. When a policy is evaluated, if you define Jamf
as a trust provider, Verified Access includes the trust data in the Cedar context under the key
you specify as “Policy Reference Name” on the trust provider configuration. You can write
a policy that evaluates against the trust data if you choose. The following JSON schema
For more information about using Jamf with AWS Verified Access, see Integrating AWS Verified Access with Jamf Device Identity
{ "title": "Jamf device data specification", "type": "object", "properties": { "iss": { "type": "string", "description": "\"Issuer\" - the Jamf customer ID" }, "iat": { "type": "integer", "description": "\"Issued at Time\" - a unixtime (seconds since epoch) value of when the device information data was generated" }, "exp": { "type": "integer", "description": "\"Expiration\" - a unixtime (seconds since epoch) value for when this device information is no longer valid" }, "sub": { "type": "string", "description": "\"Subject\" - either the hardware UID or a value generated based on device location" }, "groups": { "type": "array", "description": "Group IDs from UEM connector sync", "items": { "type": "string" } }, "risk": { "type": "string", "enum": [ "HIGH", "MEDIUM", "LOW", "SECURE", "NOT_APPLICABLE" ], "description": "a Jamf-reported level of risk associated with the device." }, "osv": { "type": "string", "description": "The version of the OS that is currently running, in Apple version number format (https://support.apple.com/en-us/HT201260)" } } }
The following is an example of a policy that evaluates against the trust data provided by Jamf.
permit(principal, action, resource) when { context.jamf.risk == "LOW" };
Cedar provides a useful .contains() function to help with enums like
Jamf’s risk score.
permit(principal, action, resource) when { ["LOW", "SECURE"].contains(context.jamf.risk) };
CrowdStrike
CrowdStrike is a third-party trust provider. When a policy is evaluated, if you define
CrowdStrike as a trust provider, Verified Access includes the trust data in the Cedar context
under the key you specify as “Policy Reference Name” on the trust provider configuration.
You can write a policy that evaluates against the trust data if you choose. The following
JSON schema
For more information about using CrowdStrike with AWS Verified Access, see Securing private applications
with CrowdStrike and AWS Verified Access
{ "title": "CrowdStrike device data specification", "type": "object", "properties": { "assessment": { "type": "object", "description": "Data about CrowdStrike's assessment of the device", "properties": { "overall": { "type": "integer", "description": "A single metric, between 1-100, that accounts as a weighted average of the OS and and Sensor Config scores" }, "os": { "type": "integer", "description": "A single metric, between 1-100, that accounts for the OS-specific settings monitored on the host" }, "sensor_config": { "type": "integer", "description": "A single metric, between 1-100, that accounts for the different sensor policies monitored on the host" }, "version": { "type": "string", "description": "The version of the scoring algorithm being used" } } }, "cid": { "type": "string", "description": "Customer ID (CID) unique to the customer's environemnt" }, "exp": { "type": "integer", "description": "unixtime, The expiration time of the token" }, "iat": { "type": "integer", "description": "unixtime, The issued time of the token" }, "jwk_url": { "type": "string", "description": "URL that details the JWT signing" }, "platform": { "type": "string", "enum": ["Windows 10", "Windows 11", "macOS"], "description": "Operating system of the endpoint" }, "serial_number": { "type": "string", "description": "The serial number of the device derived by unique system information" }, "sub": { "type": "string", "description": "Unique CrowdStrike Agent ID (AID) of machine" }, "typ": { "type": "string", "enum": ["crowdstrike-zta+jwt"], "description": "Generic name for this JWT media. Client MUST reject any other type" } } }
The following is an example of a policy that evaluates against the trust data provided by CrowdStrike.
permit(principal, action, resource) when { context.crowdstrike.assessment.overall > 50 };
