Infrastructure security in Amazon WorkSpaces Instances - Amazon WorkSpaces Core
Make Amazon WorkSpaces Instances API requests through a VPC interface endpointCreate a VPC endpoint policy for Amazon WorkSpaces InstancesConnect your private network to your VPC

Infrastructure security in Amazon WorkSpaces Instances

As a managed service, Amazon WorkSpaces Core is protected by AWS global network security. For information about AWS security services and how AWS protects infrastructure, see AWS Cloud Security. To design your AWS environment using the best practices for infrastructure security, see Infrastructure Protection in Security Pillar AWS Well‐Architected Framework.

You use AWS published API calls to access Amazon WorkSpaces Core through the network. Clients must support the following:

  • Transport Layer Security (TLS). We require TLS 1.2 and recommend TLS 1.3.

  • Cipher suites with perfect forward secrecy (PFS) such as DHE (Ephemeral Diffie-Hellman) or ECDHE (Elliptic Curve Ephemeral Diffie-Hellman). Most modern systems such as Java 7 and later support these modes.

Additionally, requests must be signed by using an access key ID and a secret access key that is associated with an IAM principal. Or you can use the AWS Security Token Service (AWS STS) to generate temporary security credentials to sign requests.

Refer to Infrastructure security in Amazon EC2.

Make Amazon WorkSpaces Instances API requests through a VPC interface endpoint

You can connect directly to Amazon WorkSpaces Instances API endpoints through an interface endpoint in your virtual private cloud (VPC) instead of connecting over the internet. When you use a VPC interface endpoint, communication between your VPC and the Amazon WorkSpaces API endpoint is conducted entirely and securely within the AWS network.

The Amazon WorkSpaces Instances API endpoints support Amazon Virtual Private Cloud (Amazon VPC) interface endpoints that are powered by AWS PrivateLink. Each VPC endpoint is represented by one or more network interfaces (also known as elastic network interfaces, or ENIs) with private IP addresses in your VPC subnets.

The VPC interface endpoint connects your VPC directly to the Amazon WorkSpaces Instances API endpoint without an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. The instances in your VPC don't need public IP addresses to communicate with the Amazon WorkSpaces Instances API endpoint.

You can create an interface endpoint to connect to Amazon WorkSpaces Instances with either the AWS Management Console or AWS Command Line Interface (AWS CLI) commands. For instructions, see Creating an Interface Endpoint.

After you have created a VPC endpoint, you can use the following example CLI commands that use the endpoint-url parameter to specify interface endpoints to the Amazon WorkSpaces Instances API endpoint:

aws workspaces-instances list-regions --region us-west-2 \
--endpoint https://workspaces-instances.us-west-2.api.aws

If you enable private DNS hostnames for your VPC endpoint, you don't need to specify the endpoint URL. The Amazon WorkSpaces Instances API DNS hostname that the CLI and Amazon WorkSpaces Instances SDK use by default (workspaces-instances.externalRegion.api.aws) resolves to your VPC endpoint.

The Amazon WorkSpaces Instances API endpoint supports VPC endpoints in all AWS Regions where both Amazon VPC and Amazon WorkSpaces Instances are available. Amazon WorkSpaces supports making calls to all of its public APIs inside your VPC.

To learn more about AWS PrivateLink, see the AWS PrivateLink documentation. For the price of VPC endpoints, see VPC Pricing. To learn more about VPC and endpoints, see Amazon VPC.

To see a list of Amazon WorkSpaces Instances API endpoints by Region, see WorkSpaces API Endpoints.

Note

Amazon WorkSpaces Instances API endpoints with AWS PrivateLink are not supported for Federal Information Processing Standard (FIPS) Amazon WorkSpaces Instances API endpoints.

You can create a policy for Amazon VPC endpoints for Amazon WorkSpaces Instances to specify the following:

  • The principal that can perform actions.

  • The actions that can be performed.

  • The resources on which actions can be performed.

For more information, see Controlling Access to Services with VPC Endpoints in the Amazon VPC User Guide.

Note

VPC endpoint policies aren't supported for Federal Information Processing Standard (FIPS) Amazon WorkSpaces Instances endpoints.

The following example VPC endpoint policy specifies that all users who have access to the VPC interface endpoint are allowed to invoke the Amazon WorkSpaces hosted endpoint named vpce-00b4e19feaf8b3eee and VPC vpc-0ecfe75f77ce1aa61.

{
    "Statement": [
        {
            "Action": "workspaces-instances:ListRegions",
            "Condition": {
                "StringEquals": {
                    "aws:SourceVpc": "vpc-0ecfe75f77ce1aa61",
                    "aws:SourceVpce": "vpce-00b4e19feaf8b3eee"
                }
            },
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Resource": "*",
            "Sid": "AllowPortalsAccess"
        }
    ],
    "Version": "2012-10-17"
}
Note

In this example, users can still take other Amazon WorkSpaces Instances API actions from outside the VPC. To restrict API calls to those from within the VPC, see Identity and access management for WorkSpaces Instances for information about using identity-based policies to control access to Amazon WorkSpaces Instances API endpoints.

To call the Amazon WorkSpaces Instances API through your VPC, you have to connect from an instance that is inside the VPC, or connect your private network to your VPC by using AWS Virtual Private Network (AWS VPN) or AWS Direct Connect. For information, see VPN Connections in the Amazon Virtual Private Cloud User Guide. For information about AWS Direct Connect, see Creating a Connection in the AWS Direct Connect User Guide.