Security - Access Amazon WorkSpaces with Common Access Cards
Strong authenticationServices accreditationConfiguring WorkSpaces Directory for FIPS 140-2Security Groups

This whitepaper is for historical reference only. Some content might be outdated and some links might not be available.

Security

Strong authentication

Strong authentication is provided through the user of a Common Access Card/Personal Identity Verification (CAC/PIV) card, which is a smart card used to identify active-duty military personnel, selected reservists, US Department of Defense (DoD) civilian employees, and eligible contractor personnel. In addition to providing physical access to buildings and protected areas, it also allows access to DoD computer networks and systems, satisfying two-factor authentication, digital security, and data encryption. It leverages a Public Key Infrastructure (PKI) Security Certificate to verify a cardholder's identity prior to allowing access to protected resources. Data from the user’s CAC is accessed to validate the user, but neither the CAC certificate data or the pin are stored.

Services accreditation

Table 2 provides a list of AWS Services and features utilized in the Amazon WorkSpaces Common Access Card solution. The current AWS Service DoD SRG accreditation status can be found on the AWS Services in Scope by Compliance Program page.

Table 2 - AWS Services and Accreditation status for the Amazon WorkSpaces smart card capability

VPC Security Groups IL2/4/5/6
VPC Subnets IL2/4/5/6
Directory AD Connector IL2/4/5
Directory Smart Card Capabilities Pending JAB/DISA
WorkSpaces Workspace Instances IL2/4/5
WorkSpaces Smart Card Capabilities Pending JAB/DISA

Configuring WorkSpaces Directory for FIPS 140-2

To comply with the Federal Risk and Authorization Management Program (FedRAMP) or the Department of Defense Cloud Computing Security Requirements Guide, you must configure Amazon WorkSpaces to use Federal Information Processing Standards (FIPS) endpoint encryption at the directory level. You must also use a US AWS Region that has FedRAMP authorization or is DoD SRG compliant. For details on updating the Directory, see Set Up Amazon WorkSpaces for FedRAMP Authorization or DoD SRG Compliance.

Security Groups

Using the AWS Console or CLI, create Security Groups that allow for communication to and from your WorkSpaces interfaces. Security Groups should include all ports and protocols required by the Amazon WorkSpaces service, as well as ports and protocols required by Active Directory between domain controllers and domain members. For details about WorkSpaces ports and protocols , see IP Address and Port Requirements for Amazon WorkSpace.