Security groups for your WorkSpaces

When you register a directory with WorkSpaces, it creates two security groups, one for directory controllers and another for WorkSpaces in the directory. The security group for directory controllers has a name that consists of the directory identifier followed by _controllers (for example, d-12345678e1_controllers). The security group for WorkSpaces has a name that consists of the directory identifier followed by _workspacesMembers (for example, d-123456fc11_workspacesMembers).

Warning

Avoid modifying, deleting, or detaching the _controllers and the _workspacesMembers security groups. Be cautious when modifying or deleting these security groups, because you will not be able to recreate these groups and add them back after they have been modified or deleted. For more information, see Amazon EC2 security groups for Linux instance or Amazon EC2 security groups for Windows instances.

You can add a default WorkSpaces security group to a directory. After you associate a new security group with a WorkSpaces directory, new WorkSpaces that you launch or existing WorkSpaces that you rebuild will have the new security group. You can also add this new default security group to existing WorkSpaces without rebuilding them, as explained later in this topic.

When you associate multiple security groups with a WorkSpaces directory, the rules from each security group are effectively aggregated to create one set of rules. We recommend condensing your security group rules as much as possible.

For more information about security groups, see Security Groups for Your VPC in the Amazon VPC User Guide.

To add a security group to a WorkSpaces directory

Open the WorkSpaces console at https://console.aws.amazon.com/workspaces/.
In the navigation pane, choose Directories.
Select the directory and choose Actions, Update Details.
Expand Security Group and select a security group.
Choose Update and Exit.

To add a security group to an existing WorkSpace without rebuilding it, you assign the new security group to the elastic network interface (ENI) of the WorkSpace.

To add a security group to an existing WorkSpace

Find the IP address for each WorkSpace that needs to be updated.
1. Open the WorkSpaces console at https://console.aws.amazon.com/workspaces/.
2. Expand each WorkSpace and record its WorkSpace IP address.
Find the ENI for each WorkSpace and update its security group assignment.
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. Under Network & Security, choose Network Interfaces.
3. Search for the first IP address that you recorded in Step 1.
4. Select the ENI associated with the IP address, choose Actions, and then choose Change Security Groups.
5. Select the new security group, and choose Save.
6. Repeat this process as needed for any other WorkSpaces.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Internet access

IP access control groups