A Unified Architecture for both Humans and Workloads to Access Private/Internal VPC AWS Resources behind NAT Scattered Across Multiple Regions as well as Protected Public Resources such as Protected S3 and Lambada Functions
A Unified Architecture to Provide Access to Private/Internal Resources of Any Type via Client-based Zero-Config Clients over WireGuard/QUIC Tunnels as well as via the Clientless BeyondCorp Mode for both Humans and Workloads
Provide Dynamic Secretless, Clientless Access to all your S3 Buckets, Lambda Functions and other AWS APIs without Managing, Distributing and Rotating AWS IAM identities.
Identity-based ABAC Access Control at the Application-layer (L7) (e.g. HTTP paths, methods and JSON body content using Identity-aware Proxies (IAPs) via Context-aware Policy-as-Code via CEL and Open Policy Agent (OPA)
Provide Passwordless Access to all PostgreSQL and MySQL-based RDS Databases to your Users without Managing and Sharing Passwords. Dynamically Force Database Users, Credentials and Route to different Databases based on User Identity as well as the Access Context using Policy-as-Code
Provide Unified Access to all your AWS Resources for your Workloads written in any Programming Language via Standard OAuth2 Client-Credentials Flow and Bearer Authentication without having to Use Special SDKs, Clients or Manage Different AWS IAM Identities and Credentials
A Scalable Platform Built on top of Kubernetes for Automatic Horizontal Scalability and Availability
Seamlessly integrate any OpenID Connect or SAML 2.0 SSO Provider (IdP) as well as GitHub OAuth2 and Provide Secure Access to all your Resources for your Teams at Scale. Force Strong MFA via FIDO2 Phishing Resistant Authenticators into Access Control to Sensitive AWS Resources.
Designed to be Administered like Kubernetes via DevOps/GitOps-friendly Centralized and Declarative Way. The Cluster is furthermore fully Programmable over gRPC.
Apply your Own Custom Identity-based, Context-aware Request/Response Manipulation and Validation with Lua Scripts and Envoy ExtProc Compliant Servers. Dynamically Enforce Dynamic Rate Limiting, Caching and JSON Schema Validation on a Per-Request Basis.
OpenTelemetry-ready Layer-7 Aware, Real-Time Visibility and Auditing to Your Log Management and SIEM Providers
Dynamically Apply Native FIDO2 Passkey/WebAuthn, Time-based one-time Password (TOTP) Authentication and TPM 2.0 Authentication. Enforce Using Attested Hardware-based FIDO2 Authenticators in your Access Control Decisions.
