本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
第三方信任提供
本節說明第三方信任提供者提供給「AWS已驗證存取」的信任資料。
注意
信任提供者的內容金鑰來自您在建立信任提供者時所設定的原則參照名稱。例如,如果您將原則參照名稱設定為「idp123」,則內容索引鍵會是「上下文 .idp123」。建立原則時,請確定您使用的是正確的內容索引鍵。
瀏覽器擴展
如果您打算將裝置信任內容納入存取原則中,則需要「AWS已驗證存取」瀏覽器延伸功能或其他合作夥伴的瀏覽器延伸功能。驗證訪問目前支持谷歌瀏覽器和火狐瀏覽器.
我們目前支援三種裝置信任提供者:Jamf (支援 macOS 裝置) CrowdStrike (支援視窗 11 和視窗 10 裝置),以及 JumpCloud (支援視窗和 MacOS)。
-
如果您在政策中使用 Jamf 信任資料,您的使用者必須從 Chrome 網路商店或 Firefox 附加元件網
站 下載並安裝AWS驗證存取瀏覽器延伸功能。 -
如果您在原則中使用CrowdStrike信任資料,則您的使用者首先需要安裝AWS已驗證存取原生訊息主機
(直接下載連結)。需要此元件才能從使用者裝置上執行的 CrowdStrike 代理程式取得信任資料。然後,安裝此元件後,使用者必須從 Chrome 網路應用商店或 Firefox 附加元件網 站 在其裝置上安裝AWS驗證存取瀏覽器延伸功能。 -
如果您使用的是 JumpCloud,您的使用者必須在其裝置上安裝 Chrome 網路商店
或 Firefox 附加元件網站 的 JumpCloud 瀏覽器擴充功能。
Jamf
Jamf 是第三方信任提供者。評估原則時,如果您將 Jamf 定義為信任提供者,「已驗證存取」會在 Cedar 內容中包含信任資料,在您在信任提供者組態上指定為「原則參照名稱」的金鑰下。如果您選擇,您可以撰寫根據信任資料進行評估的原則。下列 JSON 結構描述
有關使用 Jamf 與AWS已驗證存取權的詳細資訊,請參閱在 Jamf 網站上整合 AWS 驗證存取與 Jamf 裝置身分
{ "title": "Jamf device data specification", "type": "object", "properties": { "iss": { "type": "string", "description": "\"Issuer\" - the Jamf customer ID" }, "iat": { "type": "integer", "description": "\"Issued at Time\" - a unixtime (seconds since epoch) value of when the device information data was generated" }, "exp": { "type": "integer", "description": "\"Expiration\" - a unixtime (seconds since epoch) value for when this device information is no longer valid" }, "sub": { "type": "string", "description": "\"Subject\" - either the hardware UID or a value generated based on device location" }, "groups": { "type": "array", "description": "Group IDs from UEM connector sync", "items": { "type": "string" } }, "risk": { "type": "string", "enum": [ "HIGH", "MEDIUM", "LOW", "SECURE", "NOT_APPLICABLE" ], "description": "a Jamf-reported level of risk associated with the device." }, "osv": { "type": "string", "description": "The version of the OS that is currently running, in Apple version number format (https://support.apple.com/en-us/HT201260)" } } }
以下是根據 Jamf 提供的信任資料進行評估的策略範例。
permit(principal, action, resource) when { context.jamf.risk == "LOW" };
Cedar 提供了一個有用的.contains()功能來幫助 Jamf 的風險評分等枚舉。
permit(principal, action, resource) when { ["LOW", "SECURE"].contains(context.jamf.risk) };
CrowdStrike
CrowdStrike 是第三方信任提供者。評估原則時,如果您定義 CrowdStrike 為信任提供者,「已驗證存取」會將信任資料納入 Cedar 內容中,您在信任提供者組態上指定為「原則參照名稱」的金鑰下。如果您選擇,您可以撰寫根據信任資料進行評估的原則。下列 JSON 結構描述
如需 CrowdStrike 有關使用AWS已驗證存取權的詳細資訊,請參閱在 GitHub 網站上使用 CrowdStrike 和AWS已驗證存取權保護私人應
{ "title": "CrowdStrike device data specification", "type": "object", "properties": { "assessment": { "type": "object", "description": "Data about CrowdStrike's assessment of the device", "properties": { "overall": { "type": "integer", "description": "A single metric, between 1-100, that accounts as a weighted average of the OS and and Sensor Config scores" }, "os": { "type": "integer", "description": "A single metric, between 1-100, that accounts for the OS-specific settings monitored on the host" }, "sensor_config": { "type": "integer", "description": "A single metric, between 1-100, that accounts for the different sensor policies monitored on the host" }, "version": { "type": "string", "description": "The version of the scoring algorithm being used" } } }, "cid": { "type": "string", "description": "Customer ID (CID) unique to the customer's environemnt" }, "exp": { "type": "integer", "description": "unixtime, The expiration time of the token" }, "iat": { "type": "integer", "description": "unixtime, The issued time of the token" }, "jwk_url": { "type": "string", "description": "URL that details the JWT signing" }, "platform": { "type": "string", "enum": ["Windows 10", "Windows 11", "macOS"], "description": "Operating system of the endpoint" }, "serial_number": { "type": "string", "description": "The serial number of the device derived by unique system information" }, "sub": { "type": "string", "description": "Unique CrowdStrike Agent ID (AID) of machine" }, "typ": { "type": "string", "enum": ["crowdstrike-zta+jwt"], "description": "Generic name for this JWT media. Client MUST reject any other type" } } }
以下是根據提供的信任資料進行評估的策略範例 CrowdStrike。
permit(principal, action, resource) when { context.crowdstrike.assessment.overall > 50 };
JumpCloud
JumpCloud 是第三方信任提供者。評估原則時,如果您定義 JumpCloud 為信任提供者,「已驗證存取」會將信任資料納入 Cedar 內容中,您在信任提供者組態上指定為「原則參照名稱」的金鑰下。如果您選擇,您可以撰寫根據信任資料進行評估的原則。下列 JSON 結構描述
如需 JumpCloud 有關使用AWS已驗證存取權的詳細資訊,請參閱 JumpCloud 網站上的整合 JumpCloud 和AWS驗證存取
{ "title": "JumpCloud device data specification", "type": "object", "properties": { "device": { "type": "object", "description": "Properties of the device", "properties": { "is_managed": { "type": "boolean", "description": "Boolean to indicate if the device is under management" } } }, "exp": { "type": "integer", "description": "Expiration. Unixtime of the token's expiration." }, "durt_id": { "type": "string", "description": "Device User Refresh Token ID. Unique ID that represents the device + user." }, "iat": { "type": "integer", "description": "Issued At. Unixtime of the token's issuance." }, "iss": { "type": "string", "description": "Issuer. This will be 'go.jumpcloud.com'" }, "org_id": { "type": "string", "description": "The JumpCloud Organization ID" }, "sub": { "type": "string", "description": "Subject. The managed JumpCloud user ID on the device." }, "system": { "type": "string", "description": "The JumpCloud system ID" } } }
以下是根據提供的信任內容進行評估的策略範例 JumpCloud。
permit(principal, action, resource) when { context.jumpcloud.org_id = 'Unique_orgnaization_identifier' };
