VPN-Less Secure Access with AWS Verified Access & Teleport
    Security4 min read

    VPN-Less Secure Access with AWS Verified Access & Teleport

    By Teqnisys β€’ 2025-03-07

    Throughout our Zero Trust journey, we've seen that traditional cloud security methods, like VPNs, often bring unnecessary risks and complexity. Instead, let's explore a modern approachβ€”secure access without VPNs using AWS Verified Access and Teleport.

    By combining identity-based authentication with strong access controls, we eliminate VPN limitations while enhancing security, performance, and user experience. Need expert guidance, real-world case studies, or tailored consulting? This strategy follows AWS cloud security best practices.

    Let's dive in and redefine secure access for the cloud implementation. πŸš€

    🚨 The Problem:

    • Overly Broad Access β€” VPNs typically grant wide network access, increasing the risk of lateral movement in case of compromise.
    • Static Credentials & Complexity β€” Managing VPN credentials is cumbersome and prone to leaks, making rotation and revocation challenging.

    βœ… The Solution:

    AWS Verified Access replaces VPNs by using identity-based authentication. Teleport improves security by providing just-in-time access to infrastructure.

    Stack Overview

    We'll use the following AWS cloud services and tools:

    • AWS Verified Access β€” Enforces identity-aware, VPN-less access.
    • AWS IAM Identity Center (SSO) β€” Provides user authentication.
    • Teleport - Acts as a unified access gateway for secure authentication and authorization across SSH, Kubernetes, databases, web applications, and cloud environments.
    • Amazon EC2 - Hosts the Teleport Proxy & Auth server.
    • Amazon Route 53 - Configures a DNS record for Teleport.
    • Amazon S3 β€” Stores audit logs and session recordings.
    • Terraform β€” Automates infrastructure provisioning.

    Requirements

    Before proceeding, ensure you have:

    • An amazon web services(AWS) account with permissions to create Verified Access instances.
    • Terraform installed (>=1.3.0 recommended).
    • Teleport installed on your local machine (teleport CLI).
    • AWS CLI configured with IAM credentials.
    • A domain registered in Route 53 or a similar public DNS record.

    Implementation Steps

    Step 1: Deploy AWS Verified Access

    Create a Verified Access instance using Terraform.

    resource "aws_verified_access_instance" "vpnless_access" {
  description = "Zero Trust VPN-Less Secure Access"
}

    Enable an application in Verified Access to restrict access to Teleport.

    resource "aws_verified_access_trust_provider" "sso_provider" {
  description    = "SSO Provider for Verified Access"
  trust_provider_type = "user"
  user_trust_provider_type = "iam-identity-center"
}

resource "aws_verified_access_instance_application" "teleport_access" {
  instance_id       = aws_verified_access_instance.vpnless_access.id
  domain            = "teleport.example.com"
  application_type  = "browser"
  description       = "Teleport Secure Access"
  trust_provider_id = aws_verified_access_trust_provider.sso_provider.id
}

    Step 2: Deploy Teleport on AWS EC2

    Create an EC2 instance to host the Teleport Proxy & Auth server.

    resource "aws_instance" "teleport_server" {
  ami           = "ami-12345678" # Replace with your region's Ubuntu AMI
  instance_type = "t3.medium"
  key_name      = "your-key"
  security_groups = [aws_security_group.teleport_sg.id]
  user_data     = <<-EOF
  #!/bin/bash
  set -ex

  # Install Teleport
  curl https://goteleport.com/static/install.sh | bash

  # Create Teleport configuration file
  cat <<EOT > /etc/teleport.yaml
  teleport:
  nodename: "teleport-server"
  data_dir: "/var/lib/teleport"
  log:
    output: "stderr"
    severity: "INFO"
  auth_service:
  enabled: true
  cluster_name: "teleport.example.com"
  authentication:
    type: "sso"
    second_factor: "on"
  ssh_service:
  enabled: true
  proxy_service:
  enabled: true
  acme:
    enabled: true
    email: "[email protected]"
  EOF
}

    Step 3: Configure Route 53 DNS Record

    resource "aws_route53_record" "teleport_dns" {
  zone_id = "Z123456ABCDEFG" # Your Route 53 Hosted Zone ID
  name    = "teleport.example.com"
  type    = "A"
  ttl     = 300
  records = [aws_instance.teleport_server.public_ip]
}

    Step 4: Enforce AWS Verified Access for Teleport

    1. Navigate to AWS Verified Access in the AWS Console.
    2. Select Teleport Application.
    3. Attach IAM Identity Center as the authentication method.
    4. Define access policies based on roles and security context.
    {
  "Effect": "Allow",
  "Principal": "arn:aws:iam::123456789012:user/example",
  "Action": "verified-access:Access",
  "Resource": "*"
}

    Step 5: Test VPN-Less Access

    Once Verified Access is enabled:

    1. Navigate to https://teleport.example.com.
    2. Access using AWS IAM Identity Center (SSO).
    3. Ensure that only authorized users have access.
    4. Enable 2FA for the Teleport user by scanning the OTP QR code.
    5. Try connecting to an instance through Teleport:
    ssh ubuntu@ec2-instance-id --proxy=teleport.example.com

    Conclusion

    By implementing AWS Verified Access with Teleport, we have:

    • βœ… Removed VPNs, reducing security threats and operational burden.
    • βœ… Enforced identity-aware authentication for remote access.
    • βœ… Secured SSH, Kubernetes, databases, and web applications without exposing services publicly.
    • βœ… Provided audit logging for all access requests.
    • βœ… Activated two-factor authentication (2FA) for Teleport users.

    Secure Your Cloud with Expert Cloud Solutions

    Enhance your cloud-based security with AWS Verified Access and Teleport. As a leading cloud security consultant, Teqnisys specializes in aws cloud consultancy, cloud solutions and information security to protect your infrastructure.

    Book a Free Consultation with our Cloud Security Experts today!

    Email us at: [email protected]