AWS Zero Trust Architecture — Overview
Zero Trust is a security model based on the principle of “never trust, always verify” — every request is authenticated, authorized, and encrypted regardless of where it originates. On AWS, Zero Trust replaces traditional perimeter-based security (VPN + firewall) with identity-centric, per-request verification. This is a core focus area for SCS-C03 and increasingly appears in SAP-C02 questions.
Zero Trust Pillars on AWS
1. Identity — “Who are you?”
Every access request must prove identity with strong authentication:
| Use Case | Service | How |
|---|---|---|
| Workforce (employees) | IAM Identity Center | SAML/SCIM federation with IdP (Okta, Azure AD) → temporary STS credentials |
| Customers (end users) | Cognito | User pools + identity pools → OAuth/OIDC tokens → scoped IAM credentials |
| Services (machine-to-machine) | IAM Roles | Assume role via OIDC, instance profile, or service-linked role — no long-term keys |
| On-premises workloads | IAM Roles Anywhere | X.509 certificates from Private CA → exchange for temporary AWS credentials |
Key principle: Eliminate long-term credentials. Everything uses short-lived STS tokens.
2. Network — “Minimize exposure”
Zero Trust doesn’t mean “no network controls” — it means network alone isn’t sufficient for trust:
- VPC Lattice — Service-to-service networking with built-in IAM auth. Services authenticate each other via SigV4 — no network path = no access regardless of VPC connectivity.
- PrivateLink — Access AWS services and partner APIs without internet exposure
- Micro-segmentation — Security Groups per workload (not per subnet). Deny all, allow specific ports/sources.
- VPC Endpoints with policies — Restrict which principals can use which endpoints (e.g., only prod accounts can reach prod S3 buckets via this endpoint)
3. Application — “Verify every request”
- AWS Verified Access — Replace VPN for corporate app access. Evaluates identity (from IdP) + device posture (from CrowdStrike/Jamf) + Cedar policies per request. No VPN tunnel needed.
- Amazon Verified Permissions — Fine-grained authorization using Cedar policy language. Externalize access decisions from application code. Real-time, per-request authorization.
- API Gateway + Lambda Authorizers — Custom auth logic per API call (JWT validation, scope checking, IP allowlisting)
4. Data — “Protect the asset”
- Encryption everywhere — KMS for at-rest, ACM for TLS in-transit, client-side encryption for sensitive payloads
- Least-privilege data access — S3 bucket policies, Lake Formation row/column controls, DynamoDB fine-grained access
- Classification — Macie discovers and classifies sensitive data (PII, financial, credentials) in S3
- Tokenization — Replace sensitive values with tokens; store originals in dedicated vault
AWS Verified Access — Deep Dive
Verified Access is AWS’s purpose-built Zero Trust access service for corporate applications:
- How it works: User accesses app URL → Verified Access checks identity (via OIDC/SAML IdP) + device trust (via device management integration) → evaluates Cedar access policy → allows or denies
- No VPN: Users connect directly over the internet — Verified Access acts as an identity-aware reverse proxy
- Per-request evaluation: Every HTTP request is independently evaluated (not just session establishment)
- Targets: ALB, Network Interface, or RDS (for database access without VPN)
- Logging: Access logs show who accessed what, when, from which device, with which trust score
Service-to-Service Zero Trust (VPC Lattice)
VPC Lattice provides Zero Trust for east-west (service-to-service) traffic:
- Authentication: Services authenticate to each other using IAM SigV4 signing — mutual identity verification
- Authorization: Auth policies define which service principals can access which target services
- No network dependency: Even if two services are in the same VPC, they can’t communicate unless the auth policy allows it
- Cross-account: Services in different accounts/VPCs authenticate and communicate without VPC Peering or Transit Gateway
Traditional vs Zero Trust Comparison
| Aspect | Traditional (Perimeter) | Zero Trust |
|---|---|---|
| Trust model | Trust inside the network perimeter | Never trust, always verify |
| Remote access | VPN tunnel to corporate network | Verified Access — direct internet, per-request auth |
| Service communication | Network path = access (if you can route, you can connect) | VPC Lattice — IAM auth required regardless of network path |
| Credentials | Long-term keys, shared passwords | Short-lived STS tokens, certificate-based, no static credentials |
| Authorization | Coarse (network ACLs, role-based) | Fine-grained, per-request (Cedar policies, resource policies) |
| Monitoring | Perimeter logs (firewall, IDS) | Every request logged — identity, device, context, decision |
Implementing Zero Trust — Step by Step
- Eliminate long-term credentials — Rotate/remove access keys, use IAM roles + Identity Center everywhere
- Enable MFA universally — Enforce MFA for console, require MFA for sensitive API calls via IAM conditions
- Implement least-privilege — Use IAM Access Analyzer to identify over-permissive policies, enforce Permission Boundaries
- Encrypt everything — Default KMS encryption on all data stores, enforce TLS with security policies
- Deploy Verified Access — Replace VPN for corporate applications (start with internal tools)
- Adopt VPC Lattice — Replace security-group-only service communication with identity-authenticated service mesh
- Monitor continuously — GuardDuty for threat detection, Security Hub for aggregation, CloudTrail for audit
- Automate response — EventBridge + Lambda for automated remediation (revoke compromised credentials, isolate resources)
Exam Tips by Certification
| Exam | Focus Areas |
|---|---|
| SCS-C03 | Verified Access vs VPN, IAM Roles Anywhere, VPC Lattice auth policies, resource policies for cross-account, GuardDuty/Security Hub integration, incident response automation |
| SAP-C02 | Zero Trust for multi-account architectures, VPC Lattice vs Transit Gateway decision, PrivateLink for third-party SaaS, identity federation patterns at scale |
AWS Certification Exam Practice Questions
Question 1:
A company wants to eliminate VPN for remote employees accessing internal web applications. They need to verify both user identity (via Okta) and device security posture (via CrowdStrike) before granting access to each application independently. Which AWS service provides this?
- AWS Client VPN with Okta SAML authentication
- ALB with Cognito integration and Lambda authorizer
- AWS Verified Access with OIDC trust provider and device trust provider
- CloudFront with signed URLs and Okta token verification
Show Answer
Answer: C – Verified Access is purpose-built for this: it evaluates identity (Okta via OIDC trust provider) AND device posture (CrowdStrike via device trust provider) on every request. Cedar policies define per-application access rules. No VPN required — users access apps directly. Client VPN still creates a network tunnel (not Zero Trust).
Question 2:
Two microservices in different VPCs need to communicate. The security team requires that both services mutually authenticate each other’s identity and that network connectivity alone is NOT sufficient for access. Which approach implements Zero Trust for this?
- VPC Peering with restrictive Security Groups
- Transit Gateway with route table segmentation
- VPC Lattice with IAM auth policies requiring SigV4 authentication
- PrivateLink with VPC endpoint policies
Show Answer
Answer: C – VPC Lattice provides identity-based service-to-service authentication using IAM SigV4. Both services prove their identity cryptographically on every request. Even with network connectivity, access is denied without proper IAM authentication. VPC Peering/TGW provide network paths but rely only on network-level controls (not identity).
Question 3:
An organization’s on-premises servers need to call AWS APIs using temporary credentials without deploying IAM access keys. The servers have X.509 certificates issued by the company’s internal CA. What should they use?
- AWS SSO with SAML federation
- IAM Roles Anywhere with the company’s Private CA as trust anchor
- Cognito Identity Pools with developer-authenticated identities
- STS AssumeRole with an external ID
Show Answer
Answer: B – IAM Roles Anywhere allows on-premises workloads to exchange X.509 certificates (from a trusted CA) for temporary AWS credentials. Register the company’s CA as a trust anchor, create a profile with an IAM role, and servers authenticate using their certificates. No static keys needed — Zero Trust for hybrid environments.
Question 4:
A SaaS company needs fine-grained, per-request authorization for their multi-tenant application. Different tenants have different access levels to resources, and authorization rules change frequently. They want to externalize authorization from application code. Which service is designed for this?
- Cognito Groups with IAM role mapping
- Amazon Verified Permissions with Cedar policies
- API Gateway Lambda Authorizer with custom logic
- IAM resource policies on each backend resource
Show Answer
Answer: B – Verified Permissions provides externalized, fine-grained authorization using Cedar policy language. Policies are managed centrally and evaluated per-request at millisecond latency. It supports multi-tenant isolation, attribute-based access control (ABAC), and policy versioning — without embedding auth logic in application code.
Question 5:
After implementing Zero Trust, a company’s security team needs visibility into which IAM roles and policies grant access to external accounts or public resources. Which service continuously monitors for this?
- AWS Config with custom rules
- IAM Access Analyzer
- Amazon GuardDuty
- AWS Trusted Advisor
Show Answer
Answer: B – IAM Access Analyzer continuously analyzes resource policies, IAM policies, SCPs, and KMS grants to identify resources shared with external principals (other accounts, public access). It generates findings for any trust path that extends outside your zone of trust. This is essential for Zero Trust — detecting unintended external access.
Frequently Asked Questions
Does Zero Trust mean I don’t need VPCs or Security Groups?
No. Zero Trust adds identity-based controls on top of network controls — it doesn’t replace them. VPCs and Security Groups still provide defense-in-depth. The difference is that network access alone is no longer sufficient — identity verification is also required.
What replaces VPN in Zero Trust?
AWS Verified Access replaces VPN for workforce application access. It authenticates users via identity providers and verifies device posture on every request, without requiring a network tunnel. Users access applications directly over HTTPS.
How does VPC Lattice differ from a service mesh like App Mesh?
VPC Lattice is a managed service networking layer with built-in IAM authentication — no sidecar proxies needed. App Mesh requires Envoy sidecars in every container and doesn’t natively integrate IAM auth. VPC Lattice is simpler, works cross-account/cross-VPC, and provides Zero Trust authentication out of the box.