Integrate Verified Access with AWS WAF
In addition to the authentication and authorization rules enforced by Verified Access, you might also want to apply perimeter protection. This can help you protect your applications from additional threats. You can accomplish this by integrating AWS WAF into your Verified Access deployment. AWS WAF is a web application firewall that lets you monitor the HTTP requests that are forwarded to your protected web application resources. For more information, see the AWS WAF Developer Guide.
You can integrate AWS WAF with Verified Access by associating an AWS WAF web access control list (ACL)
with a Verified Access instance. A web ACL is a AWS WAF resource that gives you fine-grained control over all
of the HTTP web requests that your protected resource responds to. While the AWS WAF association
or disassociation request is being processed, the status of any Verified Access endpoints attached to the
instance are shown as updating
. After the request is complete, the status returns to
active
. You can view the status in the AWS Management Console or by describing the endpoint with
the AWS CLI.
If you use an Application Load Balancer with user authentication, AWS WAF inspects the traffic after the load balancer authenticates the user.
Contents
Required IAM permissions
Integrating AWS WAF with Verified Access includes permission-only actions that don't directly
correspond to an API operation. These actions are indicated in the AWS Identity and Access Management
Service Authorization Reference with [permission only]
. See Actions,
resources, and condition keys for Amazon EC2 in the
Service Authorization Reference.
To work with a web ACL, your AWS Identity and Access Management principal must have the following permissions.
ec2:AssociateVerifiedAccessInstanceWebAcl
ec2:DisassociateVerifiedAccessInstanceWebAcl
ec2:DescribeVerifiedAccessInstanceWebAclAssociations
ec2:GetVerifiedAccessInstanceWebAcl
Associate an AWS WAF web ACL
The following steps demonstrate how to associate an AWS WAF web access control list (ACL) with a Verified Access instance using the Verified Access console.
Prerequisite
Before you begin, create a AWS WAF web ACL. For more information, see Create a web ACL in the AWS WAF Developer Guide.
To associate an AWS WAF web ACL to a Verified Access instance
-
Open the Amazon VPC console at https://console.aws.amazon.com/vpc/
. -
In the navigation pane, choose Verified Access instances.
-
Select the Verified Access instance.
-
Select the Integrations tab.
-
Choose Actions, then Associate Web ACL.
-
For Web ACL, choose an existing web ACL, then choose Associate Web ACL.
Alternatively, you can use the AWS WAF console. If you use the AWS WAF console or API, you need the
Amazon Resource Name (ARN) of your Verified Access instance. An AVA ARN has the following format:
arn:${Partition}:ec2:${Region}:${Account}:verified-access-instance/${VerifiedAccessInstanceId}
.
For more information, see Associate a web ACL with an AWS resource
in the AWS WAF Developer Guide.
Check the status of the association
You can verify whether an AWS WAF web access control list (ACL) is associated with a Verified Access instance or not by using the Verified Access console.
To view the status of AWS WAF integration with a Verified Access instance
-
Open the Amazon VPC console at https://console.aws.amazon.com/vpc/
. -
In the navigation pane, choose Verified Access instances.
-
Select the Verified Access instance.
-
Select the Integrations tab.
-
Check the details listed under WAF integration status. The status will be shown as Associated or Not associated, along with the web ACL identifier, if in the Associated state.
Disassociate an AWS WAF web ACL
The following steps demonstrate how to disassociate an AWS WAF web access control list (ACL) from a Verified Access instance using the Verified Access console.
To disassociate an AWS WAF web ACL from a Verified Access instance
-
Open the Amazon VPC console at https://console.aws.amazon.com/vpc/
. -
In the navigation pane, choose Verified Access instances.
-
Select the Verified Access instance.
-
Select the Integrations tab.
-
Choose Actions, then Disassociate Web ACL.
-
Confirm by choosing Disassociate Web ACL.
Alternatively, you can use the AWS WAF console. For more information, see Disassociate a web ACL from an AWS resource in the AWS WAF Developer Guide.