Monitor your WorkSpaces using CloudWatch Events - Amazon WorkSpaces

Monitor your WorkSpaces using CloudWatch Events

You can use events from Amazon CloudWatch Events to view, search, download, archive, analyze, and respond to successful logins to your WorkSpaces. For example, you can use events for the following purposes:

  • Store or archive WorkSpaces login events as logs for future reference, analyze the logs to look for patterns, and take action based on those patterns.

  • Use the WAN IP address to determine where users are logged in from, and then use policies to allow users access only to files or data from WorkSpaces that meet the access criteria found in the CloudWatch Event type of WorkSpaces Access.

  • Analyze login data and perform automated actions by using AWS Lambda.

  • Use policy controls to block access to files and applications from unauthorized IP addresses.

For more information about events, see the Amazon CloudWatch Events User Guide.

WorkSpaces events

WorkSpaces client applications send WorkSpaces Access events to CloudWatch Events when a user successfully logs in to a WorkSpace. All WorkSpaces clients send these events.

  • Events are emitted on a best-effort basis.

  • Events emitted for WorkSpaces using the WorkSpaces Streaming Protocol (WSP) require the WorkSpaces client application version 4.0.1 or later.

Events are represented as JSON objects. The following is example data for a WorkSpaces Access event.

{ "version": "0", "id": "64ca0eda-9751-dc55-c41a-1bd50b4fc9b7", "detail-type": "WorkSpaces Access", "source": "aws.workspaces", "account": "123456789012", "time": "2018-07-01T17:53:06Z", "region": "us-east-1", "resources": [], "detail": { "clientIpAddress": "", "actionType": "successfulLogin", "workspacesClientProductName": "WorkSpaces Desktop client", "loginTime": "2018-07-01T17:52:51.595Z", "clientPlatform": "Windows", "directoryId": "domain/d-123456789", "workspaceId": "ws-xyskdga" } }

Event-specific fields


The WAN IP address of the client application. For PCoIP zero clients, this is the IP address of the Teradici auth client.


This value is always successfulLogin.


The following values are case-sensitive.

  • WorkSpaces Desktop client — Windows, macOS, and Linux clients

  • Amazon WorkSpaces Mobile client — iOS client

  • WorkSpaces Mobile Client — Android clients

  • WorkSpaces Chrome Client — Chromebook client

  • WorkSpaces Web Client — Web Access client

  • Teradici PCoIP Zero Client, Teradici PCoIP Desktop Client, or Dell Wyse PCoIP Client — Zero Client


The time at which the user logged in to the WorkSpace.

  • Android

  • Chrome

  • iOS

  • Linux

  • OSX

  • Windows

  • Teradici PCoIP Zero Client and Tera2

  • Web


The identifier of the directory for the WorkSpace. You must prepend the directory identifier with domain/. For example, "domain/d-123456789".


The identifier of the WorkSpace.

Create a rule to handle WorkSpaces events

Use the following procedure to create a CloudWatch Events rule to handle the WorkSpaces events.

To create a rule to handle WorkSpaces events

  1. Open the CloudWatch console at

  2. In the navigation pane, choose Events.

  3. Choose Create rule.

  4. For Event Source, do the following:

    1. Choose Event Pattern and Build event pattern to match events by service (the default).

    2. For Service Name, choose WorkSpaces.

    3. For Event Type, choose WorkSpaces Access.

  5. For Targets, choose Add target, and then choose the service that is to act when a WorkSpaces event is detected. Provide any information required by this service.

  6. Choose Configure details. For Rule definition, enter a name and description.

  7. Choose Create rule.