Verified Access 信任数据的第三方信任提供商上下文
本节介绍第三方信任提供商提供给 AWS Verified Access 的信任数据。
注意
您的信任提供商的上下文键来自您在创建该信任提供商时配置的策略参考名称。例如,如果您将策略参考名称配置为“idp123”,则上下文键将为“context.idp123”。确保在创建策略时使用正确的上下文键。
浏览器扩展
如果您计划将设备信任上下文纳入您的访问策略中,您需要使用 AWS Verified Access 浏览器扩展或其他合作伙伴的浏览器扩展。Verified Access 目前支持 Google Chrome 和 Mozilla Firefox 浏览器。
我们目前支持三个设备信任提供商:Jamf(支持 macOS 设备)、CrowdStrike(支持 Windows 11 和 Windows 10 设备)以及 JumpCloud(支持 Windows 和 MacOS)。
-
如果您在策略中使用 Jamf 信任数据,您的用户必须在其设备上从 Chrome 应用商店
或 Firefox 附加组件网站 下载并安装 AWS Verified Access 浏览器扩展。 -
如果您在策略中使用 CrowdStrike 信任数据,首先,您的用户需要先安装 AWS Verified Access Native Messaging Host
(直接下载链接)。此组件是从用户设备上运行的 CrowdStrike 代理获取信任数据所必需的。然后,安装此组件后,用户必须在其设备上从 Chrome 应用商店 或 Firefox 附加组件网站 安装 AWS Verified Access 浏览器扩展。 -
如果您使用的是 JumpCloud,用户必须在其设备上从 Chrome 应用商店
或 Firefox 附加组件网站 安装 JumpCloud 浏览器扩展。
Jamf
Jamf 是第三方信任提供商。评估策略时,如果将 Jamf 定义为信任提供商,Verified Access 会将信任数据包含在 Cedar 上下文中、您在信任提供商配置中指定为“策略参考名称”的键下。如果您愿意,可以编写根据信任数据进行评估的策略。以下 JSON 架构
有关将 Jamf 与 Verified Access 配合使用的更多信息,请参阅 Jamf 网站上的 Integrating AWS Verified Access with Jamf Device Identity
{ "title": "Jamf device data specification", "type": "object", "properties": { "iss": { "type": "string", "description": "\"Issuer\" - the Jamf customer ID" }, "iat": { "type": "integer", "description": "\"Issued at Time\" - a unixtime (seconds since epoch) value of when the device information data was generated" }, "exp": { "type": "integer", "description": "\"Expiration\" - a unixtime (seconds since epoch) value for when this device information is no longer valid" }, "sub": { "type": "string", "description": "\"Subject\" - either the hardware UID or a value generated based on device location" }, "groups": { "type": "array", "description": "Group IDs from UEM connector sync", "items": { "type": "string" } }, "risk": { "type": "string", "enum": [ "HIGH", "MEDIUM", "LOW", "SECURE", "NOT_APPLICABLE" ], "description": "a Jamf-reported level of risk associated with the device." }, "osv": { "type": "string", "description": "The version of the OS that is currently running, in Apple version number format (https://support.apple.com/en-us/HT201260)" } } }
以下是根据 Jamf 提供的信任数据进行评估的策略示例。
permit(principal, action, resource) when { context.jamf.risk == "LOW" };
Cedar 提供了一个有用的 .contains() 函数来帮助处理像 Jamf 风险评分这样的枚举。
permit(principal, action, resource) when { ["LOW", "SECURE"].contains(context.jamf.risk) };
CrowdStrike
CrowdStrike 是一个第三方信任提供商。评估策略时,如果将 CrowdStrike 定义为信任提供商,Verified Access 会将信任数据包含在 Cedar 上下文中、您在信任提供商配置中指定为“策略参考名称”的键下。如果您愿意,可以编写根据信任数据进行评估的策略。以下 JSON 架构
有关将 CrowdStrike 与 Verified Access 配合使用的更多信息,请参阅 GitHub 网站上的 Securing private applications with CrowdStrike and AWS Verified Access
{ "title": "CrowdStrike device data specification", "type": "object", "properties": { "assessment": { "type": "object", "description": "Data about CrowdStrike's assessment of the device", "properties": { "overall": { "type": "integer", "description": "A single metric, between 1-100, that accounts as a weighted average of the OS and and Sensor Config scores" }, "os": { "type": "integer", "description": "A single metric, between 1-100, that accounts for the OS-specific settings monitored on the host" }, "sensor_config": { "type": "integer", "description": "A single metric, between 1-100, that accounts for the different sensor policies monitored on the host" }, "version": { "type": "string", "description": "The version of the scoring algorithm being used" } } }, "cid": { "type": "string", "description": "Customer ID (CID) unique to the customer's environemnt" }, "exp": { "type": "integer", "description": "unixtime, The expiration time of the token" }, "iat": { "type": "integer", "description": "unixtime, The issued time of the token" }, "jwk_url": { "type": "string", "description": "URL that details the JWT signing" }, "platform": { "type": "string", "enum": ["Windows 10", "Windows 11", "macOS"], "description": "Operating system of the endpoint" }, "serial_number": { "type": "string", "description": "The serial number of the device derived by unique system information" }, "sub": { "type": "string", "description": "Unique CrowdStrike Agent ID (AID) of machine" }, "typ": { "type": "string", "enum": ["crowdstrike-zta+jwt"], "description": "Generic name for this JWT media. Client MUST reject any other type" } } }
以下是根据 CrowdStrike 提供的信任数据进行评估的策略示例。
permit(principal, action, resource) when { context.crowdstrike.assessment.overall > 50 };
JumpCloud
JumpCloud 是第三方信任提供商。评估策略时,如果将 JumpCloud 定义为信任提供商,Verified Access 会将信任数据包含在 Cedar 上下文中、您在信任提供商配置中指定为“策略参考名称”的键下。如果您愿意,可以编写根据信任数据进行评估的策略。以下 JSON 架构
有关使用 JumpCloud 与 AWS Verified Access 的更多信息,请参阅 JumpCloud 网站上的集成 JumpCloud 和 AWS Verified Access
{ "title": "JumpCloud device data specification", "type": "object", "properties": { "device": { "type": "object", "description": "Properties of the device", "properties": { "is_managed": { "type": "boolean", "description": "Boolean to indicate if the device is under management" } } }, "exp": { "type": "integer", "description": "Expiration. Unixtime of the token's expiration." }, "durt_id": { "type": "string", "description": "Device User Refresh Token ID. Unique ID that represents the device + user." }, "iat": { "type": "integer", "description": "Issued At. Unixtime of the token's issuance." }, "iss": { "type": "string", "description": "Issuer. This will be 'go.jumpcloud.com'" }, "org_id": { "type": "string", "description": "The JumpCloud Organization ID" }, "sub": { "type": "string", "description": "Subject. The managed JumpCloud user ID on the device." }, "system": { "type": "string", "description": "The JumpCloud system ID" } } }
以下是根据 JumpCloud 提供的信任上下文进行评估的策略示例。
permit(principal, action, resource) when { context.jumpcloud.org_id = 'Unique_orgnaization_identifier' };
