本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
Verified Access 信任資料的第三方信任提供者內容
本節說明第三方信任提供者提供給 AWS Verified Access 的信任資料。
注意
信任提供者的內容索引鍵來自您在建立信任提供者時設定的政策參考名稱。例如,如果您將政策參考名稱設定為 "idp123",內容索引鍵會是 "context.idp123"。建立政策時,請確定您使用的是正確的內容金鑰。
瀏覽器延伸模組
如果您打算將裝置信任內容納入存取政策,則需要 AWS Verified Access 瀏覽器延伸模組或其他合作夥伴的瀏覽器延伸模組。Verified Access 目前支援 Google Chrome 和 Mozilla Firefox 瀏覽器。
我們目前支援三個裝置信任提供者:Jamf (支援 macOS 裝置)、CrowdStrike (支援 Windows 11 和 Windows 10 裝置) 和 JumpCloud (同時支援 Windows 和 MacOS)。
-
如果您在政策中使用 Jamf 信任資料,您的使用者必須在其裝置上從 Chrome Web Store
或 Firefox 附加元件網站 下載並安裝 AWS Verified Access 瀏覽器擴充功能。 -
如果您在政策中使用 CrowdStrike 信任資料,您的使用者必須先安裝AWS Verified Access 原生傳訊主機
(直接下載連結)。需要此元件才能從在使用者裝置上執行的 CrowdStrike 代理程式取得信任資料。然後,安裝此元件之後,使用者必須在其裝置上從 Chrome Web Store 或 Firefox 附加元件網站 安裝 AWS Verified Access 瀏覽器延伸模組。 -
如果您使用的是 JumpCloud,您的使用者必須在其裝置上安裝 Chrome Web Store
或 Firefox 附加元件網站的 JumpCloud 瀏覽器延伸模組。
Jamf
Jamf 是第三方信任提供者。評估政策時,如果您將 Jamf 定義為信任提供者,Verified Access 會在 Cedar 內容中,在您指定為信任提供者組態上「政策參考名稱」的金鑰下包含信任資料。您可以選擇撰寫評估信任資料的政策。下列 JSON 結構描述
如需搭配 Verified Access 使用 Jamf 的詳細資訊,請參閱 Jamf 網站上的將 AWS Verified Access 與 Jamf Device Identity 整合
{ "title": "Jamf device data specification", "type": "object", "properties": { "iss": { "type": "string", "description": "\"Issuer\" - the Jamf customer ID" }, "iat": { "type": "integer", "description": "\"Issued at Time\" - a unixtime (seconds since epoch) value of when the device information data was generated" }, "exp": { "type": "integer", "description": "\"Expiration\" - a unixtime (seconds since epoch) value for when this device information is no longer valid" }, "sub": { "type": "string", "description": "\"Subject\" - either the hardware UID or a value generated based on device location" }, "groups": { "type": "array", "description": "Group IDs from UEM connector sync", "items": { "type": "string" } }, "risk": { "type": "string", "enum": [ "HIGH", "MEDIUM", "LOW", "SECURE", "NOT_APPLICABLE" ], "description": "a Jamf-reported level of risk associated with the device." }, "osv": { "type": "string", "description": "The version of the OS that is currently running, in Apple version number format (https://support.apple.com/en-us/HT201260)" } } }
以下是針對 Jamf 提供的信任資料進行評估的政策範例。
permit(principal, action, resource) when { context.jamf.risk == "LOW" };
Cedar 提供實用的.contains()函數,可協助處理列舉,例如 Jamf 的風險分數。
permit(principal, action, resource) when { ["LOW", "SECURE"].contains(context.jamf.risk) };
CrowdStrike
CrowdStrike 是第三方信任提供者。評估政策時,如果您將 CrowdStrike 定義為信任提供者,Verified Access 會在 Cedar 內容中,在您在信任提供者組態上指定為「政策參考名稱」的金鑰下包含信任資料。您可以選擇撰寫評估信任資料的政策。下列 JSON 結構描述
如需搭配 Verified Access 使用 CrowdStrike 的詳細資訊,請參閱搭配 CrowdStrike 保護私有應用程式,以及 AWS Verified Access
{ "title": "CrowdStrike device data specification", "type": "object", "properties": { "assessment": { "type": "object", "description": "Data about CrowdStrike's assessment of the device", "properties": { "overall": { "type": "integer", "description": "A single metric, between 1-100, that accounts as a weighted average of the OS and and Sensor Config scores" }, "os": { "type": "integer", "description": "A single metric, between 1-100, that accounts for the OS-specific settings monitored on the host" }, "sensor_config": { "type": "integer", "description": "A single metric, between 1-100, that accounts for the different sensor policies monitored on the host" }, "version": { "type": "string", "description": "The version of the scoring algorithm being used" } } }, "cid": { "type": "string", "description": "Customer ID (CID) unique to the customer's environment" }, "exp": { "type": "integer", "description": "unixtime, The expiration time of the token" }, "iat": { "type": "integer", "description": "unixtime, The issued time of the token" }, "jwk_url": { "type": "string", "description": "URL that details the JWT signing" }, "platform": { "type": "string", "enum": ["Windows 10", "Windows 11", "macOS"], "description": "Operating system of the endpoint" }, "serial_number": { "type": "string", "description": "The serial number of the device derived by unique system information" }, "sub": { "type": "string", "description": "Unique CrowdStrike Agent ID (AID) of machine" }, "typ": { "type": "string", "enum": ["crowdstrike-zta+jwt"], "description": "Generic name for this JWT media. Client MUST reject any other type" } } }
以下是針對 CrowdStrike 提供的信任資料進行評估的政策範例。
permit(principal, action, resource) when { context.crowdstrike.assessment.overall > 50 };
JumpCloud
JumpCloud 是第三方信任提供者。評估政策時,如果您將 JumpCloud 定義為信任提供者,Verified Access 會在 Cedar 內容中,在您指定為信任提供者組態上的「政策參考名稱」金鑰下包含信任資料。您可以選擇撰寫評估信任資料的政策。下列 JSON 結構描述
如需搭配 AWS Verified Access 使用 JumpCloud 的詳細資訊,請參閱 JumpCloud 網站上的整合 JumpCloud 和 AWS Verified Access
{ "title": "JumpCloud device data specification", "type": "object", "properties": { "device": { "type": "object", "description": "Properties of the device", "properties": { "is_managed": { "type": "boolean", "description": "Boolean to indicate if the device is under management" } } }, "exp": { "type": "integer", "description": "Expiration. Unixtime of the token's expiration." }, "durt_id": { "type": "string", "description": "Device User Refresh Token ID. Unique ID that represents the device + user." }, "iat": { "type": "integer", "description": "Issued At. Unixtime of the token's issuance." }, "iss": { "type": "string", "description": "Issuer. This will be 'go.jumpcloud.com'" }, "org_id": { "type": "string", "description": "The JumpCloud Organization ID" }, "sub": { "type": "string", "description": "Subject. The managed JumpCloud user ID on the device." }, "system": { "type": "string", "description": "The JumpCloud system ID" } } }
以下是針對 JumpCloud 提供的信任內容進行評估的政策範例。
permit(principal, action, resource) when { context.jumpcloud.org_id == 'Unique_organization_identifier' };
