npx skills add mukul975/Anthropic-Cybersecurity-SkillsMITRE ATT&CK
When to Use
- When replacing traditional VPN-based remote access with identity-based access controls
- When implementing micro-segmentation to limit lateral movement within cloud networks
- When compliance or security strategy requires zero trust architecture adoption
- When providing secure access to cloud workloads without exposing them to the public internet
- When building context-aware access policies based on user identity, device health, and location
Do not use as a complete replacement for network security controls (ZTNA complements but does not replace firewalls and network ACLs), for protecting internet-facing public applications (use WAF), or for IoT device access where identity-based authentication is not feasible.
Prerequisites
- Identity provider (Entra ID, Okta, Google Workspace) with MFA enforcement
- Cloud-native networking capabilities (AWS PrivateLink, Azure Private Link, GCP IAP)
- Device management solution (Intune, Jamf, CrowdStrike) for device posture assessment
- Service mesh or zero trust proxy (Cloudflare Access, Zscaler ZPA, or cloud-native IAP)
- Centralized logging for access decisions and policy enforcement
Workflow
Step 1: Deploy GCP Identity-Aware Proxy (IAP) for Application Access
Configure IAP to provide authenticated access to web applications without VPN.
# Enable IAP API
gcloud services enable iap.googleapis.com
# Configure OAuth consent screen
gcloud iap oauth-brands create \
--application_title="Corporate Apps" \
--support_email=security@company.com
# Enable IAP on an App Engine application
gcloud iap web enable \
--resource-type=app-engine \
--oauth2-client-id=CLIENT_ID \
--oauth2-client-secret=CLIENT_SECRET
# Enable IAP on a backend service (GCE/GKE)
gcloud compute backend-services update BACKEND_SERVICE \
--iap=enabled,oauth2-client-id=CLIENT_ID,oauth2-client-secret=CLIENT_SECRET \
--global
# Set IAP access policy (who can access)
gcloud iap web add-iam-policy-binding \
--resource-type=app-engine \
--member="group:engineering@company.com" \
--role="roles/iap.httpsResourceAccessor"
# Configure access levels based on device and context
gcloud access-context-manager levels create corporate-device \
--title="Corporate Managed Device" \
--basic-level-spec=level-spec.yaml \
--policy=POLICY_IDStep 2: Implement AWS Verified Access for Zero Trust
Deploy AWS Verified Access to provide identity-based access to internal applications.
# Create a Verified Access trust provider (OIDC)
aws ec2 create-verified-access-trust-provider \
--trust-provider-type user \
--user-trust-provider-type oidc \
--oidc-options '{
"Issuer": "https://login.microsoftonline.com/TENANT_ID/v2.0",
"AuthorizationEndpoint": "https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/authorize",
"TokenEndpoint": "https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/token",
"UserInfoEndpoint": "https://graph.microsoft.com/oidc/userinfo",
"ClientId": "CLIENT_ID",
"ClientSecret": "CLIENT_SECRET",
"Scope": "openid profile email"
}'
# Create a Verified Access instance
aws ec2 create-verified-access-instance \
--description "Zero Trust Access Instance"
# Attach trust provider to instance
aws ec2 attach-verified-access-trust-provider \
--verified-access-instance-id vai-INSTANCE_ID \
--verified-access-trust-provider-id vatp-PROVIDER_ID
# Create a Verified Access group with policy
aws ec2 create-verified-access-group \
--verified-access-instance-id vai-INSTANCE_ID \
--policy-document '{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": "*",
"Action": "verified-access:AllowAccess",
"Condition": {
"StringEquals": {
"verified-access:user/groups": "engineering"
}
}
}]
}'
# Create endpoint for an internal application
aws ec2 create-verified-access-endpoint \
--verified-access-group-id vag-GROUP_ID \
--endpoint-type load-balancer \
--attachment-type vpc \
--domain-certificate-arn arn:aws:acm:REGION:ACCOUNT:certificate/CERT_ID \
--application-domain app.internal.company.com \
--endpoint-domain-prefix app \
--load-balancer-options '{
"LoadBalancerArn": "arn:aws:elasticloadbalancing:REGION:ACCOUNT:loadbalancer/app/internal-app/xxx",
"Port": 443,
"Protocol": "https",
"SubnetIds": ["subnet-xxx"]
}'Step 3: Configure Azure Private Link and Conditional Access
Set up Azure Private Link for network isolation and conditional access for identity-based controls.
# Create Private Endpoint for an Azure service
az network private-endpoint create \
--name app-private-endpoint \
--resource-group production-rg \
--vnet-name production-vnet \
--subnet private-endpoint-subnet \
--private-connection-resource-id /subscriptions/SUB_ID/resourceGroups/RG/providers/Microsoft.Web/sites/internal-app \
--group-ids sites \
--connection-name app-connection
# Configure private DNS zone for the service
az network private-dns zone create \
--resource-group production-rg \
--name privatelink.azurewebsites.net
az network private-dns link vnet create \
--resource-group production-rg \
--zone-name privatelink.azurewebsites.net \
--name production-link \
--virtual-network production-vnet \
--registration-enabled false# Create Conditional Access policy requiring compliant device + MFA
Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess"
$params = @{
DisplayName = "Zero Trust - Require MFA and Compliant Device"
State = "enabled"
Conditions = @{
Applications = @{
IncludeApplications = @("All")
}
Users = @{
IncludeUsers = @("All")
ExcludeGroups = @("BreakGlass-Group-ID")
}
Locations = @{
IncludeLocations = @("All")
ExcludeLocations = @("AllTrusted")
}
}
GrantControls = @{
Operator = "AND"
BuiltInControls = @("mfa", "compliantDevice")
}
SessionControls = @{
SignInFrequency = @{
Value = 4
Type = "hours"
IsEnabled = $true
}
}
}
New-MgIdentityConditionalAccessPolicy -BodyParameter $paramsStep 4: Implement Micro-Segmentation with Network Policies
Deploy network-level micro-segmentation to complement identity-based access controls.
# AWS: Create security groups for micro-segmentation
aws ec2 create-security-group \
--group-name web-tier-sg \
--description "Web tier - only HTTPS from ALB" \
--vpc-id vpc-PROD
aws ec2 authorize-security-group-ingress \
--group-id sg-WEB \
--protocol tcp --port 443 \
--source-group sg-ALB
aws ec2 create-security-group \
--group-name app-tier-sg \
--description "App tier - only from web tier"
aws ec2 authorize-security-group-ingress \
--group-id sg-APP \
--protocol tcp --port 8080 \
--source-group sg-WEB
# Kubernetes NetworkPolicy for pod-level segmentation
cat << 'EOF' | kubectl apply -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: api-allow-web-only
namespace: production
spec:
podSelector:
matchLabels:
app: api-server
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: web-frontend
ports:
- protocol: TCP
port: 8080
EOFStep 5: Enable Continuous Verification and Logging
Implement continuous trust verification rather than one-time authentication.
# Configure CloudWatch to monitor access decisions
aws logs create-log-group --log-group-name /verified-access/access-logs
# Enable Verified Access logging
aws ec2 modify-verified-access-instance-logging-configuration \
--verified-access-instance-id vai-INSTANCE_ID \
--access-logs '{
"CloudWatchLogs": {
"Enabled": true,
"LogGroup": "/verified-access/access-logs"
}
}'
# Query access logs for denied requests
aws logs start-query \
--log-group-name /verified-access/access-logs \
--start-time $(date -d "24 hours ago" +%s) \
--end-time $(date +%s) \
--query-string '
fields @timestamp, identity.user, http_request.url, decision
| filter decision = "deny"
| sort @timestamp desc
| limit 50
'Key Concepts
| Term | Definition |
|---|---|
| Zero Trust | Security model that requires strict identity verification for every person and device accessing resources, regardless of network location |
| ZTNA | Zero Trust Network Access, the technology that implements zero trust principles by providing identity-aware, context-based access to applications |
| Identity-Aware Proxy | Proxy service that verifies user identity and device context before allowing access to backend applications, replacing VPN-based access |
| Micro-Segmentation | Network security technique that creates fine-grained security zones around individual workloads or applications to limit lateral movement |
| BeyondCorp | Google's implementation of zero trust architecture that shifts access controls from the network perimeter to individual users and devices |
| Continuous Verification | Ongoing assessment of user identity, device health, and access context throughout a session rather than only at authentication time |
Tools & Systems
- GCP Identity-Aware Proxy: Google's BeyondCorp implementation providing context-aware access to web applications and VMs
- AWS Verified Access: AWS service for zero trust access to applications based on identity and device posture verification
- Azure Conditional Access: Microsoft's policy engine for enforcing context-based access controls based on user, device, location, and risk
- Cloudflare Access: Cloud-delivered ZTNA solution providing identity-aware access to internal applications
- Zscaler ZPA: Enterprise ZTNA platform replacing VPN with application-level access based on identity and context
Common Scenarios
Scenario: Replacing Corporate VPN with Zero Trust Access for Cloud Applications
Context: An organization with 2,000 employees accesses 30+ internal cloud applications through a traditional VPN concentrator. VPN performance issues and security concerns drive the decision to implement ZTNA.
Approach:
- Inventory all applications currently accessed through VPN and classify by sensitivity
- Deploy GCP IAP or AWS Verified Access for web-based internal applications
- Configure conditional access policies requiring MFA and device compliance for all applications
- Implement micro-segmentation using security groups to limit lateral movement between application tiers
- Set up continuous verification with re-authentication every 4 hours for sensitive applications
- Migrate users in phases, starting with low-risk applications, monitoring access logs for issues
- Decommission VPN after all applications are accessible through ZTNA with full logging
Pitfalls: Not all applications support identity-aware proxy integration. Legacy thick-client applications may require agent-based ZTNA solutions instead of proxy-based approaches. Device posture assessment requires an endpoint management solution deployed to all corporate devices. Break-glass access procedures must be documented for scenarios where the identity provider is unavailable.
Output Format
Zero Trust Network Access Implementation Report
==================================================
Organization: Acme Corp
Implementation Date: 2026-02-23
Applications Migrated: 24 / 30
ZTNA ARCHITECTURE:
Identity Provider: Microsoft Entra ID
Access Proxy: AWS Verified Access + GCP IAP
Device Management: Microsoft Intune
MFA: FIDO2 + Authenticator App
ACCESS POLICY COVERAGE:
Applications requiring MFA: 30 / 30 (100%)
Applications requiring compliant device: 24 / 30 (80%)
Applications with continuous verification: 18 / 30 (60%)
Applications with location restrictions: 12 / 30 (40%)
SECURITY IMPROVEMENTS:
VPN-related incidents (before): 12/month
ZTNA-related incidents (after): 2/month
Mean time to detect unauthorized access: 4 min (was 2 hours)
Lateral movement paths eliminated: 85%
MIGRATION STATUS:
Phase 1 (low-risk apps): 12/12 complete
Phase 2 (medium-risk apps): 12/12 complete
Phase 3 (high-risk apps): 0/6 in progress
VPN decommission: Scheduled after Phase 3References and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 1
api-reference.md2.7 KB
API Reference: Implementing Zero Trust Network Access
AWS Verified Access API
| Operation | Description |
|---|---|
ec2.create_verified_access_instance() |
Create a Verified Access instance for ZTNA |
ec2.create_verified_access_trust_provider() |
Register OIDC or device trust provider |
ec2.create_verified_access_group() |
Create access group with Cedar policy |
ec2.create_verified_access_endpoint() |
Expose internal app through Verified Access |
ec2.describe_verified_access_instances() |
List all Verified Access instances |
ec2.modify_verified_access_instance_logging_configuration() |
Enable CloudWatch or S3 logging |
GCP Identity-Aware Proxy API
| Operation | Description |
|---|---|
gcloud iap web enable |
Enable IAP on App Engine or backend service |
gcloud iap web add-iam-policy-binding |
Grant IAP access to users or groups |
gcloud access-context-manager levels create |
Create device/context access levels |
compute.backendServices.get() |
Check IAP status on backend services |
Azure Conditional Access (MS Graph)
| Endpoint | Method | Description |
|---|---|---|
/identity/conditionalAccess/policies |
POST | Create conditional access policy |
/identity/conditionalAccess/policies/{id} |
PATCH | Update policy conditions or grants |
/identity/conditionalAccess/namedLocations |
GET | List trusted network locations |
AWS Security Groups (Micro-Segmentation)
| Operation | Description |
|---|---|
ec2.describe_security_groups() |
Audit ingress/egress rules for open CIDR ranges |
ec2.authorize_security_group_ingress() |
Add least-privilege ingress rule by source SG |
ec2.revoke_security_group_ingress() |
Remove overly permissive rules |
Key Libraries
- boto3: AWS SDK for Python — Verified Access and EC2 security group APIs
- google-cloud-compute: GCP Compute client for backend service IAP checks
- azure-identity + azure-mgmt-network: Azure Private Endpoint management
- msgraph-sdk: Microsoft Graph SDK for Conditional Access policies
Configuration
| Variable | Description |
|---|---|
AWS_PROFILE |
AWS CLI profile with ec2:Describe* and ec2:Create* permissions |
GOOGLE_CLOUD_PROJECT |
GCP project ID for IAP configuration |
AZURE_TENANT_ID |
Azure AD tenant for Conditional Access policies |
References
Scripts 1
agent.py6.6 KB
#!/usr/bin/env python3
"""
Zero Trust Network Access (ZTNA) Assessment Agent
Evaluates ZTNA readiness across AWS, Azure, and GCP by checking IAP configs,
Verified Access endpoints, conditional access policies, and micro-segmentation.
"""
import json
import subprocess
import sys
from datetime import datetime, timezone
def run_cmd(cmd: list[str]) -> dict:
"""Execute a shell command and return structured output."""
try:
result = subprocess.run(cmd, capture_output=True, text=True, timeout=60)
return {"success": result.returncode == 0, "stdout": result.stdout, "stderr": result.stderr}
except Exception as e:
return {"success": False, "stdout": "", "stderr": str(e)}
def check_aws_verified_access() -> dict:
"""Enumerate AWS Verified Access instances, groups, and endpoints."""
findings = {"instances": [], "groups": [], "endpoints": [], "issues": []}
result = run_cmd(["aws", "ec2", "describe-verified-access-instances", "--output", "json"])
if result["success"]:
data = json.loads(result["stdout"])
for inst in data.get("VerifiedAccessInstances", []):
inst_id = inst["VerifiedAccessInstanceId"]
trust_providers = inst.get("VerifiedAccessTrustProviders", [])
findings["instances"].append({
"id": inst_id,
"trust_providers": len(trust_providers),
"logging_enabled": inst.get("LoggingConfiguration", {}).get("CloudWatchLogs", {}).get("Enabled", False),
})
if not trust_providers:
findings["issues"].append(f"Instance {inst_id} has no trust providers attached")
result = run_cmd(["aws", "ec2", "describe-verified-access-groups", "--output", "json"])
if result["success"]:
data = json.loads(result["stdout"])
for grp in data.get("VerifiedAccessGroups", []):
grp_id = grp["VerifiedAccessGroupId"]
has_policy = bool(grp.get("PolicyDocument"))
findings["groups"].append({"id": grp_id, "has_policy": has_policy})
if not has_policy:
findings["issues"].append(f"Group {grp_id} has no access policy defined")
result = run_cmd(["aws", "ec2", "describe-verified-access-endpoints", "--output", "json"])
if result["success"]:
data = json.loads(result["stdout"])
for ep in data.get("VerifiedAccessEndpoints", []):
findings["endpoints"].append({
"id": ep["VerifiedAccessEndpointId"],
"type": ep.get("EndpointType", "unknown"),
"domain": ep.get("ApplicationDomain", ""),
"status": ep.get("Status", {}).get("Code", "unknown"),
})
return findings
def check_aws_security_groups_segmentation(vpc_id: str) -> dict:
"""Check for overly permissive security groups that undermine micro-segmentation."""
findings = {"total_sgs": 0, "overly_permissive": [], "issues": []}
result = run_cmd([
"aws", "ec2", "describe-security-groups",
"--filters", f"Name=vpc-id,Values={vpc_id}",
"--output", "json"
])
if not result["success"]:
return findings
data = json.loads(result["stdout"])
sgs = data.get("SecurityGroups", [])
findings["total_sgs"] = len(sgs)
for sg in sgs:
sg_id = sg["GroupId"]
sg_name = sg.get("GroupName", "")
for perm in sg.get("IpPermissions", []):
for ip_range in perm.get("IpRanges", []):
if ip_range.get("CidrIp") == "0.0.0.0/0":
port = perm.get("FromPort", "all")
findings["overly_permissive"].append({
"sg_id": sg_id,
"sg_name": sg_name,
"port": port,
"cidr": "0.0.0.0/0",
})
findings["issues"].append(
f"SG {sg_id} ({sg_name}) allows 0.0.0.0/0 on port {port}"
)
return findings
def check_gcp_iap_status(project_id: str) -> dict:
"""Check GCP Identity-Aware Proxy configuration."""
findings = {"iap_enabled_backends": [], "issues": []}
result = run_cmd([
"gcloud", "compute", "backend-services", "list",
"--project", project_id, "--format=json"
])
if result["success"]:
backends = json.loads(result["stdout"])
for backend in backends:
name = backend.get("name", "")
iap = backend.get("iap", {})
iap_enabled = iap.get("enabled", False)
findings["iap_enabled_backends"].append({"name": name, "iap_enabled": iap_enabled})
if not iap_enabled:
findings["issues"].append(f"Backend service '{name}' does not have IAP enabled")
return findings
def generate_ztna_report(aws_va: dict, aws_sg: dict, gcp_iap: dict) -> str:
"""Generate a ZTNA assessment report."""
timestamp = datetime.now(timezone.utc).strftime("%Y-%m-%d %H:%M:%S UTC")
all_issues = aws_va["issues"] + aws_sg["issues"] + gcp_iap["issues"]
report_lines = [
"Zero Trust Network Access Assessment Report",
"=" * 50,
f"Assessment Date: {timestamp}",
"",
"AWS Verified Access:",
f" Instances: {len(aws_va['instances'])}",
f" Access Groups: {len(aws_va['groups'])}",
f" Endpoints: {len(aws_va['endpoints'])}",
"",
"AWS Micro-Segmentation:",
f" Security Groups Evaluated: {aws_sg['total_sgs']}",
f" Overly Permissive Rules: {len(aws_sg['overly_permissive'])}",
"",
"GCP Identity-Aware Proxy:",
f" Backend Services: {len(gcp_iap['iap_enabled_backends'])}",
f" IAP-Enabled: {sum(1 for b in gcp_iap['iap_enabled_backends'] if b['iap_enabled'])}",
"",
f"Total Issues Found: {len(all_issues)}",
"-" * 40,
]
for i, issue in enumerate(all_issues, 1):
report_lines.append(f" [{i}] {issue}")
return "\n".join(report_lines)
if __name__ == "__main__":
print("[*] Starting Zero Trust Network Access assessment...")
vpc_id = sys.argv[1] if len(sys.argv) > 1 else "vpc-default"
gcp_project = sys.argv[2] if len(sys.argv) > 2 else "my-project"
aws_va = check_aws_verified_access()
aws_sg = check_aws_security_groups_segmentation(vpc_id)
gcp_iap = check_gcp_iap_status(gcp_project)
report = generate_ztna_report(aws_va, aws_sg, gcp_iap)
print(report)
output_file = f"ztna_assessment_{datetime.now(timezone.utc).strftime('%Y%m%d_%H%M%S')}.json"
with open(output_file, "w") as f:
json.dump({"aws_verified_access": aws_va, "aws_segmentation": aws_sg, "gcp_iap": gcp_iap}, f, indent=2)
print(f"\n[*] Detailed results saved to {output_file}")