This is the new *CloudFormation Template Reference Guide*. Please update your bookmarks and links. For help getting started with CloudFormation, see the [AWS CloudFormation User Guide](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html). # AWS::EC2::VerifiedAccessTrustProvider A trust provider is a third-party entity that creates, maintains, and manages identity information for users and devices. When an application request is made, the identity information sent by the trust provider is evaluated by Verified Access before allowing or denying the application request. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::EC2::VerifiedAccessTrustProvider", "Properties" : { "[Description](#cfn-ec2-verifiedaccesstrustprovider-description)" : String, "[DeviceOptions](#cfn-ec2-verifiedaccesstrustprovider-deviceoptions)" : DeviceOptions, "[DeviceTrustProviderType](#cfn-ec2-verifiedaccesstrustprovider-devicetrustprovidertype)" : String, "[NativeApplicationOidcOptions](#cfn-ec2-verifiedaccesstrustprovider-nativeapplicationoidcoptions)" : NativeApplicationOidcOptions, "[OidcOptions](#cfn-ec2-verifiedaccesstrustprovider-oidcoptions)" : OidcOptions, "[PolicyReferenceName](#cfn-ec2-verifiedaccesstrustprovider-policyreferencename)" : String, "[SseSpecification](#cfn-ec2-verifiedaccesstrustprovider-ssespecification)" : SseSpecification, "[Tags](#cfn-ec2-verifiedaccesstrustprovider-tags)" : [ Tag, ... ], "[TrustProviderType](#cfn-ec2-verifiedaccesstrustprovider-trustprovidertype)" : String, "[UserTrustProviderType](#cfn-ec2-verifiedaccesstrustprovider-usertrustprovidertype)" : String } } ``` ### YAML ``` Type: AWS::EC2::VerifiedAccessTrustProvider Properties: [Description](#cfn-ec2-verifiedaccesstrustprovider-description): String [DeviceOptions](#cfn-ec2-verifiedaccesstrustprovider-deviceoptions): DeviceOptions [DeviceTrustProviderType](#cfn-ec2-verifiedaccesstrustprovider-devicetrustprovidertype): String [NativeApplicationOidcOptions](#cfn-ec2-verifiedaccesstrustprovider-nativeapplicationoidcoptions): NativeApplicationOidcOptions [OidcOptions](#cfn-ec2-verifiedaccesstrustprovider-oidcoptions): OidcOptions [PolicyReferenceName](#cfn-ec2-verifiedaccesstrustprovider-policyreferencename): String [SseSpecification](#cfn-ec2-verifiedaccesstrustprovider-ssespecification): SseSpecification [Tags](#cfn-ec2-verifiedaccesstrustprovider-tags): - Tag [TrustProviderType](#cfn-ec2-verifiedaccesstrustprovider-trustprovidertype): String [UserTrustProviderType](#cfn-ec2-verifiedaccesstrustprovider-usertrustprovidertype): String ``` ## Properties `Description` A description for the AWS Verified Access trust provider. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `DeviceOptions` The options for device-identity trust provider. *Required*: No *Type*: [DeviceOptions](aws-properties-ec2-verifiedaccesstrustprovider-deviceoptions.md) *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `DeviceTrustProviderType` The type of device-based trust provider. *Required*: No *Type*: String *Allowed values*: `jamf | crowdstrike | jumpcloud` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `NativeApplicationOidcOptions` The OpenID Connect (OIDC) options. *Required*: No *Type*: [NativeApplicationOidcOptions](aws-properties-ec2-verifiedaccesstrustprovider-nativeapplicationoidcoptions.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `OidcOptions` The options for an OpenID Connect-compatible user-identity trust provider. *Required*: No *Type*: [OidcOptions](aws-properties-ec2-verifiedaccesstrustprovider-oidcoptions.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `PolicyReferenceName` The identifier to be used when working with policy rules. *Required*: Yes *Type*: String *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `SseSpecification` The options for additional server side encryption. *Required*: No *Type*: [SseSpecification](aws-properties-ec2-verifiedaccesstrustprovider-ssespecification.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Tags` The tags. *Required*: No *Type*: Array of [Tag](aws-properties-ec2-verifiedaccesstrustprovider-tag.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `TrustProviderType` The type of Verified Access trust provider. *Required*: Yes *Type*: String *Allowed values*: `user | device` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `UserTrustProviderType` The type of user-based trust provider. *Required*: No *Type*: String *Allowed values*: `iam-identity-center | oidc` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the ID of the Verified Access trust provider. For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). #### `CreationTime` The creation time. `LastUpdatedTime` The last updated time. `VerifiedAccessTrustProviderId` The ID of the Verified Access trust provider. # AWS::EC2::VerifiedAccessTrustProvider DeviceOptions Describes the options for an AWS Verified Access device-identity based trust provider. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[PublicSigningKeyUrl](#cfn-ec2-verifiedaccesstrustprovider-deviceoptions-publicsigningkeyurl)" : String, "[TenantId](#cfn-ec2-verifiedaccesstrustprovider-deviceoptions-tenantid)" : String } ``` ### YAML ``` [PublicSigningKeyUrl](#cfn-ec2-verifiedaccesstrustprovider-deviceoptions-publicsigningkeyurl): String [TenantId](#cfn-ec2-verifiedaccesstrustprovider-deviceoptions-tenantid): String ``` ## Properties `PublicSigningKeyUrl` The URL AWS Verified Access will use to verify the authenticity of the device tokens. *Required*: No *Type*: String *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `TenantId` The ID of the tenant application with the device-identity provider. *Required*: No *Type*: String *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) # AWS::EC2::VerifiedAccessTrustProvider NativeApplicationOidcOptions Describes the OpenID Connect (OIDC) options. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[AuthorizationEndpoint](#cfn-ec2-verifiedaccesstrustprovider-nativeapplicationoidcoptions-authorizationendpoint)" : String, "[ClientId](#cfn-ec2-verifiedaccesstrustprovider-nativeapplicationoidcoptions-clientid)" : String, "[ClientSecret](#cfn-ec2-verifiedaccesstrustprovider-nativeapplicationoidcoptions-clientsecret)" : String, "[Issuer](#cfn-ec2-verifiedaccesstrustprovider-nativeapplicationoidcoptions-issuer)" : String, "[PublicSigningKeyEndpoint](#cfn-ec2-verifiedaccesstrustprovider-nativeapplicationoidcoptions-publicsigningkeyendpoint)" : String, "[Scope](#cfn-ec2-verifiedaccesstrustprovider-nativeapplicationoidcoptions-scope)" : String, "[TokenEndpoint](#cfn-ec2-verifiedaccesstrustprovider-nativeapplicationoidcoptions-tokenendpoint)" : String, "[UserInfoEndpoint](#cfn-ec2-verifiedaccesstrustprovider-nativeapplicationoidcoptions-userinfoendpoint)" : String } ``` ### YAML ``` [AuthorizationEndpoint](#cfn-ec2-verifiedaccesstrustprovider-nativeapplicationoidcoptions-authorizationendpoint): String [ClientId](#cfn-ec2-verifiedaccesstrustprovider-nativeapplicationoidcoptions-clientid): String [ClientSecret](#cfn-ec2-verifiedaccesstrustprovider-nativeapplicationoidcoptions-clientsecret): String [Issuer](#cfn-ec2-verifiedaccesstrustprovider-nativeapplicationoidcoptions-issuer): String [PublicSigningKeyEndpoint](#cfn-ec2-verifiedaccesstrustprovider-nativeapplicationoidcoptions-publicsigningkeyendpoint): String [Scope](#cfn-ec2-verifiedaccesstrustprovider-nativeapplicationoidcoptions-scope): String [TokenEndpoint](#cfn-ec2-verifiedaccesstrustprovider-nativeapplicationoidcoptions-tokenendpoint): String [UserInfoEndpoint](#cfn-ec2-verifiedaccesstrustprovider-nativeapplicationoidcoptions-userinfoendpoint): String ``` ## Properties `AuthorizationEndpoint` The authorization endpoint of the IdP. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ClientId` The OAuth 2.0 client identifier. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ClientSecret` The OAuth 2.0 client secret. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Issuer` The OIDC issuer identifier of the IdP. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `PublicSigningKeyEndpoint` The public signing key endpoint. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Scope` The set of user claims to be requested from the IdP. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `TokenEndpoint` The token endpoint of the IdP. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `UserInfoEndpoint` The user info endpoint of the IdP. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::EC2::VerifiedAccessTrustProvider OidcOptions Describes the options for an OpenID Connect-compatible user-identity trust provider. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[AuthorizationEndpoint](#cfn-ec2-verifiedaccesstrustprovider-oidcoptions-authorizationendpoint)" : String, "[ClientId](#cfn-ec2-verifiedaccesstrustprovider-oidcoptions-clientid)" : String, "[ClientSecret](#cfn-ec2-verifiedaccesstrustprovider-oidcoptions-clientsecret)" : String, "[Issuer](#cfn-ec2-verifiedaccesstrustprovider-oidcoptions-issuer)" : String, "[Scope](#cfn-ec2-verifiedaccesstrustprovider-oidcoptions-scope)" : String, "[TokenEndpoint](#cfn-ec2-verifiedaccesstrustprovider-oidcoptions-tokenendpoint)" : String, "[UserInfoEndpoint](#cfn-ec2-verifiedaccesstrustprovider-oidcoptions-userinfoendpoint)" : String } ``` ### YAML ``` [AuthorizationEndpoint](#cfn-ec2-verifiedaccesstrustprovider-oidcoptions-authorizationendpoint): String [ClientId](#cfn-ec2-verifiedaccesstrustprovider-oidcoptions-clientid): String [ClientSecret](#cfn-ec2-verifiedaccesstrustprovider-oidcoptions-clientsecret): String [Issuer](#cfn-ec2-verifiedaccesstrustprovider-oidcoptions-issuer): String [Scope](#cfn-ec2-verifiedaccesstrustprovider-oidcoptions-scope): String [TokenEndpoint](#cfn-ec2-verifiedaccesstrustprovider-oidcoptions-tokenendpoint): String [UserInfoEndpoint](#cfn-ec2-verifiedaccesstrustprovider-oidcoptions-userinfoendpoint): String ``` ## Properties `AuthorizationEndpoint` The OIDC authorization endpoint. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ClientId` The client identifier. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ClientSecret` The client secret. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Issuer` The OIDC issuer. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Scope` The OpenID Connect (OIDC) scope specified. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `TokenEndpoint` The OIDC token endpoint. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `UserInfoEndpoint` The OIDC user info endpoint. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::EC2::VerifiedAccessTrustProvider SseSpecification AWS Verified Access provides server side encryption by default to data at rest using AWS-owned KMS keys. You also have the option of using customer managed KMS keys, which can be specified using the options below. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[CustomerManagedKeyEnabled](#cfn-ec2-verifiedaccesstrustprovider-ssespecification-customermanagedkeyenabled)" : Boolean, "[KmsKeyArn](#cfn-ec2-verifiedaccesstrustprovider-ssespecification-kmskeyarn)" : String } ``` ### YAML ``` [CustomerManagedKeyEnabled](#cfn-ec2-verifiedaccesstrustprovider-ssespecification-customermanagedkeyenabled): Boolean [KmsKeyArn](#cfn-ec2-verifiedaccesstrustprovider-ssespecification-kmskeyarn): String ``` ## Properties `CustomerManagedKeyEnabled` Enable or disable the use of customer managed KMS keys for server side encryption. Valid values: `True` \$1 `False` *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `KmsKeyArn` The ARN of the KMS key. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::EC2::VerifiedAccessTrustProvider Tag Specifies a tag. For more information, see [Resource tags](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html). ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Key](#cfn-ec2-verifiedaccesstrustprovider-tag-key)" : String, "[Value](#cfn-ec2-verifiedaccesstrustprovider-tag-value)" : String } ``` ### YAML ``` [Key](#cfn-ec2-verifiedaccesstrustprovider-tag-key): String [Value](#cfn-ec2-verifiedaccesstrustprovider-tag-value): String ``` ## Properties `Key` The tag key. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Value` The tag value. *Required*: Yes *Type*: String *Minimum*: `0` *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Examples ### This example specifies two tags for the Verified Access trust provider. #### JSON ``` "Tags" : [ { "Key" : "key1", "Value" : "value1" }, { "Key" : "key2", "Value" : "value2" } ] ``` #### YAML ``` Tags: - Key: "key1" Value: "value1" - Key: "key2" Value: "value2" ```