AWS Public Sector Blog

AWS Verified Access in a TIC 3.0 architecture

AWS branded background design with text overlay that says "AWS Verified Access in a TIC 3.0 architecture"

The Cybersecurity and Infrastructure Security Agency (CISA) Trusted Internet Connections (TIC) 3.0 initiative aims to enhance cybersecurity across federal agencies. TIC 3.0 gives agencies flexibility in implementing requirements defined in Office of Management and Budget (OMB) Memorandum (M) 19-26 so they can adapt to the evolving IT landscape that includes cloud services, mobile devices, and remote work.

TIC 3.0 marks a shift from the perimeter-focused model of TIC 2.0 to a more dynamic, flexible approach. While TIC 2.0 required all Internet traffic to pass through limited government-controlled access points, TIC 3.0 allows for distributed security controls. This new approach aligns with modern IT environments, improving efficiency and reducing costs.

Federal agencies can use Amazon Web Services (AWS) to meet TIC 3.0 requirements. To facilitate this, AWS has published detailed architectural overlays that demonstrate how to effectively implement TIC 3.0 guidelines within AWS deployments. Architecture flexibility is achieved by allowing security to be applied at multiple points across environments—in the cloud, on premises, and in remote locations. Agencies can tailor security to their specific needs, optimizing data traffic flows and improving application visibility and user experience. The AWS pay-as-you-go model helps agencies manage costs effectively while maintaining high security levels. TIC 3.0 aligns closely with zero trust architecture, requiring continuous verification of user and device identity regardless of location.

About AVA

AWS Verified Access (AVA) is a cloud-based service that enables secure access to applications without requiring the use of a virtual private network (VPN). It evaluates each application request and gives users access to each application only when they meet the specified security requirements.

AVA supports TIC 3.0 requirements in the areas of configuration management, centralized log management, strong authentication features, resilience, and policy enforcement.

AVA provides capabilities required in a TIC 3.0 architecture

AVA provides a robust set of capabilities to help federal agencies align with key TIC 3.0 requirements. By using AVA, agencies can streamline their TIC 3.0 compliance efforts and focus on mission delivery. The next section explores specific TIC 3.0 universal security capabilities and how AVA provides capabilities to meet those requirements.

Central Log Management and Analysis

AVA provides robust capabilities to support Central Log Management with Analysis (CISA Capability Identifier 3.UNI.CLMAN):

  • Centralized logging – AVA generates detailed logs of all user access activity, including login attempts, permissions granted, and actions performed. These logs are centrally collected and aggregated, providing a single pane of glass for monitoring and auditing.
  • Comprehensive visibility – The comprehensive log data captured by AVA gives agencies full visibility into who is accessing what resources, when, and from where. This supports strong security monitoring and helps satisfy TIC 3.0 requirements around log management and data collection.
  • Long-term retention – AVA integrates with durable data storage services such as Amazon Simple Storage Service (Amazon S3) and Amazon Simple Storage Service Glacier (Amazon S3 Glacier), enabling long-term log retention to meet audit and compliance needs. Logs can be securely stored and seamlessly retrieved as required.
  • Automated processing – AVA logs can be automatically processed, analyzed, and correlated using services such as Amazon CloudWatch and Amazon Athena. This supports advanced security analytics to quickly identify and investigate potential issues.

By providing centralized, long-term log management with robust processing capabilities, AVA helps federal agencies streamline their TIC 3.0 log management compliance efforts. The comprehensive visibility it provides is a key enabler for satisfying TIC 3.0 security monitoring and auditing requirements.

Strong Authentication

AVA provides robust authentication capabilities to help federal agencies meet Strong Authentication requirements (CISA Capability Identifier 3.UNI.SAUTH):

  • Single sign-on – AVA integrates with identity providers, such as AWS IAM Identity Center, or third-party products supporting OpenID Connect (OIDC) protocol federated access and streamlining user authentication. AVA also supports SAML-based IDPs to manage access to your corporate applications. AWS recommends enabling multi-factor authentication (MFA) for strong authentication mechanisms. MFA can be enabled on AWS IAM Identity Center or OIDC provider. This consolidated approach streamlines identity management and strengthens access control.
  • Risk-based authentication – When integrated with browser extensions, AVA can dynamically assess access request risk based on factors such as user location, device posture, and anomalous behavior. It can then adaptively require stronger authentication, such as step-up MFA, to mitigate elevated risks. As of this writing, AVA supports three device providers: Jamf (which supports macOS devices), CrowdStrike (which supports Windows 11 and Windows 10 devices), and JumpCloud (which supports both Windows and MacOS).
  • Seamless user experience – Despite strong authentication, AVA provides a frictionless user experience. Users can access applications and resources with a single set of credentials, reducing login burdens and improving productivity.

By combining robust MFA options, federated single sign-on, and risk-based adaptive authentication, AVA helps agencies implement the strong authentication controls mandated by TIC 3.0. This enhances security while maintaining user productivity.

Resilience

AVA provides several features that help federal agencies meet the requirements outlined in Resilience (CISA Capability Identifier 3.UNI.RESIL):

  • Highly available architecture – AVA provides a robust, fault-tolerant infrastructure. This design ensures continuous authentication and authorization services, even during component failures or regional outages. While AVA itself is highly available, the overall system availability depends on how customers deploy VPC endpoints in their Virtual Private Cloud (VPC). For optimal resilience, we recommend deploying endpoints across multiple Availability Zones.
  • Automatic scalability – AVA can automatically scale up or down based on access demand, offering consistent performance and availability. This protects against service disruptions due to unexpected spikes in user activity.
  • Disaster recovery – AVA uses the AWS global footprint and regional redundancy to provide built-in disaster recovery capabilities. Data and configurations are replicated across multiple Availability Zones, with failover mechanisms to maintain service in the event of a regional disaster.

By delivering a highly available, self-healing infrastructure, automatic scalability, and comprehensive disaster recovery, AVA provides agencies a way to maintain secure access to critical resources, even during disruptive events.

Policy Enforcement Parity

AVA also helps federal agencies achieve requirements outlined in Policy Enforcement Parity (CISA Capability Identifier 3.UNI.PEPAR):

  • Unified policy management – AVA provides a centralized control plane for managing access policies, enabling consistent enforcement across on-premises applications and cloud-hosted services. Policies can be defined and distributed from a single point of control.
  • Seamless integration – AVA integrates with a wide range of applications, both on premises and in the cloud, through standard protocols such as SAML, OIDC, and APIs. This allows for a unified authentication and authorization experience, regardless of the underlying application infrastructure.
  • Automated policy propagation – AVA automatically propagates any updates to access policies to all connected applications, offering consistent enforcement without manual intervention. This helps maintain TIC 3.0 compliance as policies evolve over time.

By enabling centralized policy management, seamless integration, and automated policy propagation, AVA helps federal agencies achieve the policy enforcement parity required by TIC 3.0. This streamlines compliance efforts and helps maintains a consistent security posture.

The specifics of how these controls are implemented may vary based on the configuration and usage of AVA within an organization. It’s important to review TIC 3.0 guidance and work with AWS and other relevant stakeholders to achieve proper implementation and compliance.

The following figure illustrates how AVA provides a secure way for users running macOS or Windows devices to access applications over the internet without using a VPN.

Figure 1. An architectural diagram for accessing an enterprise application over the internet, where users access the application, which is then intercepted by AWS WAF to check for security vulnerabilities, followed by AVA verifying the user’s identity and device details using AWS IAM Identity Center, before forwarding the traffic to the AWS Application Load Balancer, which then routes the traffic to the appropriate application servers.

Conclusion

AVA enhances security in a TIC 3.0 environment by enforcing zero trust principles and improves the user experience by providing secure, low-latency access to applications running on AWS. AVA can scale alongside an agency’s cloud environment to provide more consistent and secure access control as the workloads grow and evolve. It offers centralized management and integration with AWS security tools, making it a powerful solution for securing federal cloud environments.

Learn more and get hands-on experience with AVA through this AWS Verified Access Workshop.

Engage with your local AWS account team to learn how you can integrate with AWS and how this approach can help improve customer experience in your environment.

Read related blog posts on AWS:

TAGS: , , , , , , , , , , , , ,
Renato Ahiable

Renato Ahiable

Renato is a solutions architect at Amazon Web Services (AWS) supporting federal civilian agencies. He specializes in networking at AWS and helps customers build and design scalable and resilient networks.

Floyd Rodery

Floyd Rodery

Floyd is a solutions architect at Amazon Web Services (AWS) with more than two decades of experience in securing and optimizing large-scale production systems for federal agencies. He specializes in meeting stringent government security requirements and implementing FedRAMP-compliant solutions. Floyd creates cutting-edge security architectures that protect sensitive government assets and enhance operational efficiency.

Natti Swaminathan

Natti Swaminathan

Natti is a senior solutions architect on the US federal civilian team at Amazon Web Services (AWS). He works closely with customers to build and architect mission critical solutions. Natti has extensive experience leading, architecting, and implementing high-impact technology solutions that address diverse business needs. He has a master’s degree in electrical and computer engineering from Wichita State University and an MBA from North Carolina State.