Skip to content

Chebis26/zero-trust-architecture

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Zero Trust Architecture on AWS

AWS Terraform License

Production implementation of Zero Trust Architecture (ZTA) on AWS following NIST SP 800-207 and the BeyondCorp model. Replaces perimeter-based trust with continuous identity verification, device posture assessment, and least-privilege access at every layer.

Zero Trust Principles Implemented

Principle AWS Implementation
Verify explicitly IAM Identity Center + MFA + conditional access
Use least privilege Permission sets, ABAC, permission boundaries
Assume breach GuardDuty, VPC microsegmentation, PrivateLink
Continuous verification IAM Access Analyzer, Config Rules, CloudTrail
Network is hostile mTLS everywhere, VPC endpoints, no public endpoints

Architecture

┌──────────────────────────────────────────────────────────────┐
│                     Zero Trust Control Plane                  │
│                                                               │
│  ┌─────────────────┐    ┌──────────────────────────────────┐ │
│  │  IAM Identity   │    │      AWS Verified Access         │ │
│  │    Center       │    │  (identity-aware application     │ │
│  │  (SSO + MFA)    │    │   proxy - no VPN required)       │ │
│  └────────┬────────┘    └──────────────┬───────────────────┘ │
│           │                            │                      │
│  ┌────────▼────────────────────────────▼───────────────────┐ │
│  │              Policy Decision Point (PDP)                 │ │
│  │     IAM + SCP + Permission Boundaries + ABAC            │ │
│  └────────────────────────┬────────────────────────────────┘ │
│                            │                                  │
└────────────────────────────┼──────────────────────────────────┘
                             │ Enforce
┌────────────────────────────▼──────────────────────────────────┐
│                     Data Plane                                 │
│                                                               │
│  ┌──────────┐  ┌──────────┐  ┌──────────┐  ┌─────────────┐  │
│  │  VPC     │  │PrivateL- │  │  KMS     │  │  CloudTrail │  │
│  │ Microseg-│  │  ink     │  │ (all     │  │  (all API   │  │
│  │ mentation│  │          │  │  data)   │  │   calls)    │  │
│  └──────────┘  └──────────┘  └──────────┘  └─────────────┘  │
└───────────────────────────────────────────────────────────────┘

Key Components

  • AWS Verified Access — Identity-aware application proxy; users access internal apps without VPN
  • IAM Identity Center — Centralized SSO with SCIM provisioning from Okta/Azure AD
  • ABAC — Attribute-Based Access Control using IAM tags for dynamic least privilege
  • Network Perimeter — VPC Lattice, PrivateLink, no public endpoints
  • Continuous Compliance — Config Rules + Security Hub with automatic drift detection
  • mTLS — Certificate Manager Private CA for service-to-service authentication

Getting Started

cd terraform/environments/prod
terraform init && terraform plan

NIST SP 800-207 Alignment

All seven tenets of Zero Trust are addressed. See docs/architecture/nist-alignment.md.

License

MIT License

About

Zero Trust AWS architecture: identity-aware proxy, microsegmentation, continuous verification, BeyondCorp patterns on AWS

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages