Infrastructure security in Amazon WorkSpaces - Amazon WorkSpaces
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Infrastructure security in Amazon WorkSpaces

As a managed service, Amazon WorkSpaces is protected by Amazon global network security. For information about Amazon security services and how Amazon protects infrastructure, see Amazon Cloud Security. To design your Amazon environment using the best practices for infrastructure security, see Infrastructure Protection in Security Pillar Amazon Well‐Architected Framework.

You use Amazon published API calls to access WorkSpaces through the network. Clients must support the following:

  • Transport Layer Security (TLS). We require TLS 1.2 and recommend TLS 1.3.

  • Cipher suites with perfect forward secrecy (PFS) such as DHE (Ephemeral Diffie-Hellman) or ECDHE (Elliptic Curve Ephemeral Diffie-Hellman). Most modern systems such as Java 7 and later support these modes.

Additionally, requests must be signed by using an access key ID and a secret access key that is associated with an IAM principal. Or you can use the Amazon Security Token Service (Amazon STS) to generate temporary security credentials to sign requests.

Network isolation

A virtual private cloud (VPC) is a virtual network in your own logically isolated area in the Amazon Cloud. You can deploy your WorkSpaces in a private subnet in your VPC. For more information, see Configure a VPC for WorkSpaces.

To allow traffic only from specific address ranges (for example, from your corporate network), update the security group for your VPC or use an IP access control group.

You can restrict WorkSpace access to trusted devices with valid certificates. For more information, see Restrict WorkSpaces access to trusted devices.

Isolation on physical hosts

Different WorkSpaces on the same physical host are isolated from each other through the hypervisor. It is as though they are on separate physical hosts. When a WorkSpace is deleted, the memory allocated to it is scrubbed (set to zero) by the hypervisor before it is allocated to a new WorkSpace.

Authorization of corporate users

With WorkSpaces, directories are managed through the Amazon Directory Service. You can create a standalone, managed directory for users. Or you can integrate with your existing Active Directory environment so that your users can use their current credentials to obtain seamless access to corporate resources. For more information, see Manage directories for WorkSpaces.

To further control access to your WorkSpaces, use multi-factor authentication. For more information, see How to Enable Multi-Factor Authentication for Amazon Services.

Make Amazon WorkSpaces API requests through a VPC interface endpoint

You can connect directly to Amazon WorkSpaces API endpoints through an interface endpoint in your virtual private cloud (VPC) instead of connecting over the internet. When you use a VPC interface endpoint, communication between your VPC and the Amazon WorkSpaces API endpoint is conducted entirely and securely within the Amazon network.

Note

This feature can be used only for connecting to WorkSpaces API endpoints. To connect to WorkSpaces using the WorkSpaces clients, internet connectivity is required, as described in IP address and port requirements for WorkSpaces.

The Amazon WorkSpaces API endpoints support Amazon Virtual Private Cloud (Amazon VPC) interface endpoints that are powered by Amazon PrivateLink. Each VPC endpoint is represented by one or more network interfaces (also known as elastic network interfaces, or ENIs) with private IP addresses in your VPC subnets.

The VPC interface endpoint connects your VPC directly to the Amazon WorkSpaces API endpoint without an internet gateway, NAT device, VPN connection, or Amazon Direct Connect connection. The instances in your VPC don't need public IP addresses to communicate with the Amazon WorkSpaces API endpoint.

You can create an interface endpoint to connect to Amazon WorkSpaces with either the Amazon Web Services Management Console or Amazon Command Line Interface (Amazon CLI) commands. For instructions, see Creating an Interface Endpoint.

After you have created a VPC endpoint, you can use the following example CLI commands that use the endpoint-url parameter to specify interface endpoints to the Amazon WorkSpaces API endpoint:

aws workspaces copy-workspace-image --endpoint-url VPC_Endpoint_ID.workspaces.Region.vpce.amazonaws.com aws workspaces delete-workspace-image --endpoint-url VPC_Endpoint_ID.api.workspaces.Region.vpce.amazonaws.com aws workspaces describe-workspace-bundles --endpoint-url VPC_Endpoint_ID.workspaces.Region.vpce.amazonaws.com \ --endpoint-name Endpoint_Name \ --body "Endpoint_Body" \ --content-type "Content_Type" \ Output_File

If you enable private DNS hostnames for your VPC endpoint, you don't need to specify the endpoint URL. The Amazon WorkSpaces API DNS hostname that the CLI and Amazon WorkSpaces SDK use by default (https://api.workspaces.Region.amazonaws.com) resolves to your VPC endpoint.

The Amazon WorkSpaces API endpoint supports VPC endpoints in all Amazon Regions where both Amazon VPC and Amazon WorkSpaces are available. Amazon WorkSpaces supports making calls to all of its public APIs inside your VPC.

To learn more about Amazon PrivateLink, see the Amazon PrivateLink documentation. For the price of VPC endpoints, see VPC Pricing. To learn more about VPC and endpoints, see Amazon VPC.

To see a list of Amazon WorkSpaces API endpoints by Region, see WorkSpaces API Endpoints.

Note

Amazon WorkSpaces API endpoints with Amazon PrivateLink are not supported for Federal Information Processing Standard (FIPS) Amazon WorkSpaces API endpoints.

You can create a policy for Amazon VPC endpoints for Amazon WorkSpaces to specify the following:

  • The principal that can perform actions.

  • The actions that can be performed.

  • The resources on which actions can be performed.

For more information, see Controlling Access to Services with VPC Endpoints in the Amazon VPC User Guide.

Note

VPC endpoint policies aren't supported for Federal Information Processing Standard (FIPS) Amazon WorkSpaces endpoints.

The following example VPC endpoint policy specifies that all users who have access to the VPC interface endpoint are allowed to invoke the Amazon WorkSpaces hosted endpoint named ws-f9abcdefg.

{ "Statement": [ { "Action": "workspaces:*", "Effect": "Allow", "Resource": "arn:aws:workspaces:us-west-2:1234567891011:workspace/ws-f9abcdefg", "Principal": "*" } ] }

In this example, the following actions are denied:

  • Invoking Amazon WorkSpaces hosted endpoints other than ws-f9abcdefg.

  • Performing an action on any resource besides the one specified (WorkSpace ID: ws-f9abcdefg).

Note

In this example, users can still take other Amazon WorkSpaces API actions from outside the VPC. To restrict API calls to those from within the VPC, see Identity and access management for WorkSpaces for information about using identity-based policies to control access to Amazon WorkSpaces API endpoints.

To call the Amazon WorkSpaces API through your VPC, you have to connect from an instance that is inside the VPC, or connect your private network to your VPC by using Amazon Virtual Private Network (Amazon VPN) or Amazon Direct Connect. For information, see VPN Connections in the Amazon Virtual Private Cloud User Guide. For information about Amazon Direct Connect, see Creating a Connection in the Amazon Direct Connect User Guide.