Auto-sync: 2026-04-29 00:02
This commit is contained in:
38
wiki/concepts/Zero-Trust-Access.md
Normal file
38
wiki/concepts/Zero-Trust-Access.md
Normal file
@@ -0,0 +1,38 @@
|
||||
---
|
||||
title: "Zero-Trust Access"
|
||||
type: concept
|
||||
tags: ["AWS", "Security", "Zero-Trust", "IAM", "SSM"]
|
||||
sources: ["ctp-topic-31-network-segregation-and-secure-access-to-the-new-aws-landing-zones"]
|
||||
last_updated: 2026-05-08
|
||||
---
|
||||
|
||||
## Definition
|
||||
零信任访问(Zero-Trust Access)是一种安全模型,核心理念是"永不信任,始终验证"——无论请求来自网络内部还是外部,均需经过身份验证和授权检查。
|
||||
|
||||
## In AWS Landing Zone Context
|
||||
在 [[ctp-topic-31-network-segregation-and-secure-access-to-the-new-aws-landing-zones]] 中,SSM 替代 VPN 体现了零信任访问原则:
|
||||
- **默认不信任**:用户每次访问都需要通过 IAM 角色认证
|
||||
- **最小权限**:仅授予访问特定 EC2 实例 SSM Agent 的权限
|
||||
- **无需 VPN**:不依赖网络层面的信任,通过 IAM + SSM Agent 实现精细化访问控制
|
||||
- **双因素认证**:结合 AWS IAM 条件和多因素认证(MFA)
|
||||
|
||||
## Relationship to Traditional VPN
|
||||
| 维度 | 传统 VPN | Zero-Trust (SSM) |
|
||||
|------|---------|------------------|
|
||||
| 信任边界 | 网络层(VPN 隧道内即信任) | 身份层(每次验证) |
|
||||
| 访问范围 | 网段级别(全网可通) | 实例级别(精确到单台 EC2) |
|
||||
| 凭证管理 | VPN 共享凭证 | IAM Role 动态凭证 |
|
||||
| 双因素 | 依赖 VPN 提供商 | 依赖 AWS IAM + MFA |
|
||||
|
||||
## Long-term Vision
|
||||
在 [[ctp-topic-31-network-segregation-and-secure-access-to-the-new-aws-landing-zones]] 中描述的演进路径:
|
||||
- 当前:SSM 零信任访问(临时方案)
|
||||
- 最终目标:IaC 化 + Break-glass 应急访问,彻底消除控制台登录
|
||||
|
||||
## Related Concepts
|
||||
- [[Network-Segmentation]] — 零信任网络隔离
|
||||
- [[IAM-Role]] — 零信任身份模型
|
||||
- [[AWS-SSM]] — 零信任访问的具体实施工具
|
||||
|
||||
## Related Sources
|
||||
- [[ctp-topic-31-network-segregation-and-secure-access-to-the-new-aws-landing-zones]]
|
||||
Reference in New Issue
Block a user