Production implementation of Zero Trust Architecture (ZTA) on AWS following NIST SP 800-207 and the BeyondCorp model. Replaces perimeter-based trust with continuous identity verification, device posture assessment, and least-privilege access at every layer.
| Principle | AWS Implementation |
|---|---|
| Verify explicitly | IAM Identity Center + MFA + conditional access |
| Use least privilege | Permission sets, ABAC, permission boundaries |
| Assume breach | GuardDuty, VPC microsegmentation, PrivateLink |
| Continuous verification | IAM Access Analyzer, Config Rules, CloudTrail |
| Network is hostile | mTLS everywhere, VPC endpoints, no public endpoints |
┌──────────────────────────────────────────────────────────────┐
│ Zero Trust Control Plane │
│ │
│ ┌─────────────────┐ ┌──────────────────────────────────┐ │
│ │ IAM Identity │ │ AWS Verified Access │ │
│ │ Center │ │ (identity-aware application │ │
│ │ (SSO + MFA) │ │ proxy - no VPN required) │ │
│ └────────┬────────┘ └──────────────┬───────────────────┘ │
│ │ │ │
│ ┌────────▼────────────────────────────▼───────────────────┐ │
│ │ Policy Decision Point (PDP) │ │
│ │ IAM + SCP + Permission Boundaries + ABAC │ │
│ └────────────────────────┬────────────────────────────────┘ │
│ │ │
└────────────────────────────┼──────────────────────────────────┘
│ Enforce
┌────────────────────────────▼──────────────────────────────────┐
│ Data Plane │
│ │
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌─────────────┐ │
│ │ VPC │ │PrivateL- │ │ KMS │ │ CloudTrail │ │
│ │ Microseg-│ │ ink │ │ (all │ │ (all API │ │
│ │ mentation│ │ │ │ data) │ │ calls) │ │
│ └──────────┘ └──────────┘ └──────────┘ └─────────────┘ │
└───────────────────────────────────────────────────────────────┘
- AWS Verified Access — Identity-aware application proxy; users access internal apps without VPN
- IAM Identity Center — Centralized SSO with SCIM provisioning from Okta/Azure AD
- ABAC — Attribute-Based Access Control using IAM tags for dynamic least privilege
- Network Perimeter — VPC Lattice, PrivateLink, no public endpoints
- Continuous Compliance — Config Rules + Security Hub with automatic drift detection
- mTLS — Certificate Manager Private CA for service-to-service authentication
cd terraform/environments/prod
terraform init && terraform planAll seven tenets of Zero Trust are addressed. See docs/architecture/nist-alignment.md.
MIT License