A Semantic-Aware Zero Trust Network Access Control for modern cloud architectures

This thesis presents the design and implementation of AWSH, a secure and scalable remote access platform built on the principles of zero trust network access (ZTNA). The system supports agentless and agent-based targets and addresses the inherent limitations of traditional VPN and base-based solutions. Conventional approaches rely on the assumption that users within the network perimeter are inherently trustworthy, an assumption no longer valid in today's distributed and cloud-native environments. Once authenticated, users typically gain broad network visibility and extensive privileges, increasing the risk of lateral movement and credential compromise. Zero Trust architectures mitigate these risks through continuous verification, least-privilege access, and comprehensive auditability of all access activities. The objective of this work is to provide a unified framework that ensures secure, auditable, and policy-controlled access to remote targets. AWSH consolidates authentication, authorization, and auditing into a single system while introducing command-level inspection for real-time analysis and detection of inappropriate user behavior. The platform is designed around a distributed microservice architecture with decoupled control and data planes to maximize scalability, fault tolerance, and operational flexibility. It consists of four key components: i) a Client a command-line interface that interacts with the control plane to initiate and manage remote sessions; ii) the Policy Decision Point (PDP) responsible for enforcing identity-based authentication and authorization policies; iii) a Connector acting either as a proxy to multiple targets or deployed directly on a target host, linking it to the AWSH data plane; iv) a Gateway, the system's central hub, that establishes and manages secure tunnels between the Client and the remote Target via the Connector. All communications employ certificate-based authentication and encryption, ensuring confidentiality and integrity. A distinctive feature of AWSH is the Command Inspector, an AI-powered module based on an agentic architecture driven by a Large Language Model (LLM). This component performs real-time command inspection, classifying user intent, and flagging potentially malicious or non-compliant operations. By combining context-aware analysis with policy-driven enforcement, AWSH extends traditional role-based access control into an adaptive authorization model that continuously assesses trust. By integrating Zero Trust principles with LLM-based command inspection, AWSH delivers a robust, transparent, and intelligent access control platform. It provides a unified foundation for identity management, policy definition, and auditing across distributed environments, offering a pragmatic and modern alternative to conventional VPN or PAM solutions. Future work will focus on enhancing the Command Inspector module and expanding protocol compatibility.