Securing private applications with CrowdStrike Zero Trust Assessment and AWS Verified Access
Introduction
AWS Verified Access (AVA), a feature of Amazon Virtual Private Cloud (VPC) networking, delivers secure, zero-trust access to private applications without a VPN by continuously evaluating each request in real time based on contextual security signals like identity, device security status and location. The service grants access based on the security policy configured for each application and then connects the users, thereby improving the security posture of the organization. CrowdStrike customers can leverage Falcon sensor’s deep inspection and CrowdStrike Threat Graph® analytics to provide highly accurate security posture scores for the service’s access decisions.
Video
Lab Environment
AWS Verified Access provides secure access to private applications (non-internet routable) hosted in an Amazon VPC by acting as a reverse proxy, leveraging additional identity and device posture checks before routing the traffic to the application. Using CrowdStrike Falcon Insight XDR (XDR) and Zero Trust Assessment (CrowdStrike ZTA), we provide customers the ability to holistically assess their endpoint security posture, allowing AWS Verified Access to provide conditional access to resources that comply with your organization’s device posture policies.
AWS Verified Access relies on these primary components:
- An AWS Verified Access instance with associated AWS Verified Access groups, policies, endpoint, and trust providers.
- A Native Message Host deployed to each client endpoint which is responsible for reading the CrowdStrike ZTA score and securely communicating the payload to the browser extension.
- A Browser Extension enabled on each client endpoints for device posture evaluation and communicating back to the AWS service.
In this demo, we have a sensitive application deployed in a private VPC. An AWS Verified Access Policy ensures that only the client endpoints with a CrowdStrike agent installed and a ZTA score above the configured threshold can access the application.
The CrowdStrike ZTA score is calculated by the locally-installed CrowdStrike Falcon Sensor based on the security posture of the device and written to the local filesystem on a periodic basis and in response to configuration changes. The AWS Native message host gets the CrowdStrike ZTA score from the local file, and then provides the ZTA score to the AWS Verified Access browser extension for evaluation against the AWS Verified Access policy for CrowdStrike.
Visit CrowdStrike AWS Verified Access GitHub for step by step instructions.
Install the CrowdStrike Falcon Sensor
Install the CrowdStrike Falcon Sensor on a Windows endpoint. This endpoint will also get the Native Messaging installer and browser extension installed.
Install the Native Message Host
Install the Native Message Host on your client endpoint. This will allow the AWS Verified Access browser extension to get the client endpoint’s CrowdStrike ZTA score.
Windows
- Download the MSI via the following link
- Install the MSI on your Windows client endpoint
Install the browser extension
In this step, you’ll install the AWS Verified Access browser extension on your client endpoint. In this example, we’ll be using the Chrome browser. However, AWS Verified Access supports Firefox, too and the instructions are nearly identical.
- Navigate to the Chrome Extension Store
- Search for
AWS Verified Access
and install the extension
CrowdStrike Zero Trust Assessment
Zero Trust Assessment (ZTA) monitors OS and Falcon Sensor settings of hosts within your organization. This granular assessment of eligible hosts is used to produce a score that uniquely represents the security posture of each host. You can use the Falcon Zero Trust Assessment dashboard to view a holistic overview as well as a detailed assessment of monitored hosts, to investigate and remediate insecure settings, and to improve the security posture of hosts.
Security score
Zero Trust Assessment calculates a security score from 1 to 100 for each host. A higher score indicates a better security posture for the host. A security score is specific to the unique configurations of your environment. Zero Trust Assessment does not define what constitutes a good score. Instead, the ZTA dashboard provides visibility into possible risks and insight into settings that can increase the security posture of hosts.
Security scores are derived from two distinct assessment sources:
-
OS settings (Windows and macOS only): Settings that track built-in OS security options, firmware availability, and Common Vulnerabilities and Exposures (CVE) mitigations.
-
Falcon sensor settings: Falcon sensor configurations that track Reduced Functionality Mode (RFM) status as well as prevention and Real Time Response policies.
When a change is detected in either the OS or sensor settings, security scores are updated.
A host’s security score is also dependent on the ZTA version used to assess the host. This version appears in the ZTA dashboard next to each host’s score. ZTA versions are updated by CrowdStrike to account for changes in how security scores are calculated. For example, if a new prevention policy becomes available in Falcon, ZTA calculations are updated to account for the new policy. Hosts are then assessed based on the new ZTA version and whether they meet the new requirement.
For this host, the security score is 26.
Key Components of Verified Access
AWS Verified Access evaluates each application request from your users and allows access based on:
- Trust data sent by your chosen trust provider (from AWS or a third party).
- Access policies that you create in Verified Access.
When a user tries to access an application, Verified Access gets their data from the trust provider and evaluates it against the policies that you set for the application. Verified Access grants access to the requested application only if the user meets your specified security requirements.
In addition, Verified Access logs every access attempt, to help you respond quickly to security incidents and audit requests.
Trust Provider
We have configured 2 trust providers, CrowdStrike and Okta.
Access Policy
This Access Policy is configured to permit an action on a resource when the Overall CrowdStrike Assessment Score (ZTA) is more than 80.
Test connectivity to your application
Verify if your private application is properly protected by AWS Verified Access. Navigate to your Application Domain.
Since the client machine has a ZTA score of 26, it doesn’t meet the criteria set by the Access Policy. Hence, the client won’t be able to access the application. You see 403 Unauthorized
CrowdStrike Prevention Policies
CrowdStrike Falcon uses overlapping methods to detect both known and unknown threats. This helps ensure detection and prevention of attacks at multiple stages, and is also why enabling all of our recommended prevention policies is critical.
Standard playbook tactics for malicious actors leverage privilege escalation and credential theft. These tactics enable lateral movement and exploitation or compromise of systems in your environment. Therefore, it’s vital that you have a view of activity across all potential attack phases. Enabling only 8 out of 10 policy toggles doesn’t mean you are 80% protected. If the one setting needed to detect a particular malicious attack in your environment is also the one that’s disabled, you’re still potentially 100% vulnerable.
You can test all policy changes in pre-production first, and then deploy the changes to production in stages. You can triage detections and adjust settings as needed to see fewer false positives, using IOC management and machine learning and IOA exclusions.
When new prevention policy options are made generally available, we recommend that you incorporate them into their production environments using your standard change control methodology.
Enabling ‘Strong‘ Prevention Policies will increase the security & ZTA score of the endpoint.
After Enabling stronger Prevention policies, the CrowdStrike Assessment score increases to 85.
The client machine now meets the criteria set by the Access policy (ZTA>80), so it will be granted access the private application.
The CrowdStrike AWS Verified Access integration is an open-source project and not a CrowdStrike product. As such, it carries no formal support, expressed, or implied. If you encounter any issues while deploying the integration, you can create an issue on our GitHub repository for bugs, enhancements, or other requests.
AWS Verified Access is an AWS product. As such, any questions or problems you experience with this service should be handled through a support ticket with AWS Support.