Amazon WorkSpaces is a fully managed, secure desktop computing service which runs on the AWS cloud.

WorkSpaces is a cloud-based virtual desktop that can act as a replacement for a traditional desktop.

A WorkSpace is available as a bundle of compute resources, storage space, and software applications that allows a user to perform day-to-day tasks just like using a traditional desktop.

WorkSpace allows user to easily provision cloud-based virtual desktops and provide users access to the documents, applications, and resources they need from any supported device, including computers, Chromebooks, iPads, Fire tablets, and Android tablets.

Each WorkSpace runs on an individual instance for the assigned user and Applications and users’ documents and settings are persistent.

Security

1. User can login into the WorkSpace using their own credentials set when the instance is provisioned.

2. WorkSpaces service integrates with existing Active Directory domain, users will sign in with their regular Active Directory credentials.

3. WorkSpaces also integrates with existing RADIUS server to enable multi-factor authentication (MFA).

4. Access Amazon WorkSpaces can be restricted based on the client OS type, and using digital certificates.

5. VPC Security groups to limit access to resources in the network or the Internet from the WorkSpaces

6. IP Access Control Group enables configuration of trusted IP addresses that are permitted to access the WorkSpaces.

Backup

1. User volume is backed up every 12 hours and if the WorkSpace fails, AWS can restore the volume from the backup.

Encryption

1. WorkSpaces supports root volume and user volume encryption.

2. WorkSpaces uses EBS volumes that can be encrypted on WorkSpace creation, providing encryption for data stored at rest, disk I/O to the volume, and snapshots created from the volume.

3. WorkSpaces integrates with the AWS KMS service to allow you to specify the keys you want to use to encrypt the volumes.

Amazon WorkSpaces Application Manager (Amazon WAM)

1. WAM offers a fast, flexible, and secure way for you to deploy and manage applications for Amazon WorkSpaces.

2. WAM accelerates software deployment, upgrades, patching, and retirement by packaging Microsoft Windows desktop applications into virtualized application containers that run as though they are natively installed.

WorkSpaces client application needs supported client device (PC, Mac, iPad, Kindle Fire, or Android tablet), and an Internet connection with TCP ports 443 & 4172, and UDP port 4172 open.

WorkSpaces launches the WorkSpaces in a VPC. If using AWS Directory Service to create an AWS Managed Microsoft or a Simple AD, it is recommended configure the VPC with one public subnet and two private subnets. To provide internet access to WorkSpaces in a private subnet, configure a NAT gateway in the public subnet. Configure the directory to launch the WorkSpaces in the private subnets.

Workspace using SimpleLDAP