Amazon WorkSpaces
Administration Guide

Monitor Your WorkSpaces Using CloudWatch Events

You can use events from Amazon CloudWatch Events to view, search, download, archive, analyze, and respond to successful logins to your WorkSpaces. These WorkSpaces login events can be stored or archived as logs for future reference, analyzed to look for patterns, and actions can be taken on those patterns. With more visibility into where users are logged in from using the WAN IP address, you can use policies to only allow access to files or data from WorkSpaces meeting access criteria found in the CloudWatch Event type of ‘WorkSpaces Access’. You can also analyze this data, which is available in near real-time, and perform automated actions using AWS Lambda and have policy controls to block access to files and applications from unauthorized IP addresses with policy controls.

For more information about events, see the Amazon CloudWatch Events User Guide.

WorkSpaces Events

Amazon WorkSpaces client applications send WorkSpaces Access events to CloudWatch Events when a user successfully logs in to a WorkSpace. All Amazon WorkSpaces clients send these events.

Events are represented as JSON objects. The following is example data for a WorkSpaces Access event.

{ "version": "0", "id": "64ca0eda-9751-dc55-c41a-1bd50b4fc9b7", "detail-type": "WorkSpaces Access", "source": "aws.workspaces", "account": "123456789012", "time": "2018-07-01T17:53:06Z", "region": "us-east-2", "resources": [], "detail": { "clientIpAddress": "", "actionType": "successfulLogin", "workspacesClientProductName": "WorkSpaces Desktop client", "loginTime": "2018-07-01T17:52:51.595Z", "clientPlatform": "Windows", "directoryId": "d-123456789", "workspaceId": "ws-xyskdga" } }

Event-Specific Fields


The WAN IP address of the client application. For PCoIP zero clients, this is the IP address of the Teradici auth client.


This value is always successfulLogin.

  • WorkSpaces Desktop client — Windows and Mac OS X clients

  • Amazon WorkSpaces Mobile client — iOS client

  • WorkSpaces Mobile client — Android clients

  • WorkSpaces Chrome client — Chromebook client

  • WorkSpaces Web client — Web Access client

  • Teradici PCoIP Zero Client, Teradici PCoIP Desktop Client, or Dell Wyse PCoIP Client — Zero Client


The time at which the user logged in to the WorkSpace.

  • Android

  • Chrome

  • iOS

  • OSX

  • Windows

  • Teradici PCoIP Zero Client and Tera2

  • Web


The identifier of the directory for the WorkSpace.


The identifier of the WorkSpace.

Create a Rule to Handle WorkSpaces Events

Use the following procedure to create a CloudWatch Events rule to handle the WorkSpaces events.

To create a rule to handle WorkSpaces events

  1. Open the CloudWatch console at

  2. In the navigation pane, choose Events.

  3. Choose Create rule.

  4. For Event Source, do the following:

    1. Choose Event Pattern and Build event pattern to match events by service (the default).

    2. For Service Name, choose WorkSpaces.

    3. For Event Type, choose WorkSpaces Access.

  5. For Targets, choose Add target, and then choose the service that is to act when a WorkSpaces event is detected. Provide any information required by this service.

  6. Choose Configure details. For Rule definition, type a name and description.

  7. Choose Create rule.