# AWS Client VPN hardening checklist (2026)

## Endpoint

- [ ] Associate **≥2 subnets** in different AZs for HA
- [ ] Client CIDR sized for **2×** expected concurrent connections and non-overlapping with VPC
- [ ] Prefer **split-tunnel** unless full-tunnel is a documented policy requirement
- [ ] Authorization rules default-deny; grant only required CIDRs/groups
- [ ] Connection logging to CloudWatch Logs (budget for log ingest)

## Authn

- [ ] Mutual certificate **or** Active Directory / IdP federation — not shared passwords
- [ ] MFA enabled when using directory auth
- [ ] Certificate rotation runbook (mutual auth) with expiry alerts

## Network

- [ ] Security groups / NACLs on target resources assume Client VPN ENI source
- [ ] Routes to on-prem via TGW/peering only if required; document blast radius
- [ ] If internet egress via VPC: inspect with Network Firewall / proxy — do not assume Client VPN is a content filter

## Cost controls

- [ ] Alarm on endpoint association hours + active connection hours ([pricing](https://aws.amazon.com/vpn/pricing/))
- [ ] Account for public IPv4 / EIP charges on Client VPN ENIs when IGW present
- [ ] Quarterly review: migrate HTTPS apps to Verified Access and shrink Client VPN population

## Ops

- [ ] Self-service client config distribution (signed packages)
- [ ] On-call runbook for “cannot connect” (auth vs route vs authz rule)
- [ ] Decommission plan when Verified Access covers ≥90% of app traffic
