Infrastructure security in Amazon WorkSpaces - Amazon WorkSpaces

Infrastructure security in Amazon WorkSpaces

As a managed service, Amazon WorkSpaces is protected by AWS global network security. For information about AWS security services and how AWS protects infrastructure, see AWS Cloud Security. To design your AWS environment using the best practices for infrastructure security, see Infrastructure Protection in Security Pillar AWS Well‐Architected Framework.

You use AWS published API calls to access WorkSpaces through the network. Clients must support the following:

  • Transport Layer Security (TLS). We require TLS 1.2 and recommend TLS 1.3.

  • Cipher suites with perfect forward secrecy (PFS) such as DHE (Ephemeral Diffie-Hellman) or ECDHE (Elliptic Curve Ephemeral Diffie-Hellman). Most modern systems such as Java 7 and later support these modes.

Additionally, requests must be signed by using an access key ID and a secret access key that is associated with an IAM principal. Or you can use the AWS Security Token Service (AWS STS) to generate temporary security credentials to sign requests.

Network isolation

A virtual private cloud (VPC) is a virtual network in your own logically isolated area in the AWS Cloud. You can deploy your WorkSpaces in a private subnet in your VPC. For more information, see Configure a VPC for WorkSpaces.

To allow traffic only from specific address ranges (for example, from your corporate network), update the security group for your VPC or use an IP access control group.

You can restrict WorkSpace access to trusted devices with valid certificates. For more information, see Restrict WorkSpaces access to trusted devices.

Isolation on physical hosts

Different WorkSpaces on the same physical host are isolated from each other through the hypervisor. It is as though they are on separate physical hosts. When a WorkSpace is deleted, the memory allocated to it is scrubbed (set to zero) by the hypervisor before it is allocated to a new WorkSpace.

Authorization of corporate users

With WorkSpaces, directories are managed through the AWS Directory Service. You can create a standalone, managed directory for users. Or you can integrate with your existing Active Directory environment so that your users can use their current credentials to obtain seamless access to corporate resources. For more information, see Manage directories for WorkSpaces.

To further control access to your WorkSpaces, use multi-factor authentication. For more information, see How to Enable Multi-Factor Authentication for AWS Services.

Make Amazon WorkSpaces API requests through a VPC interface endpoint

You can connect directly to Amazon WorkSpaces API endpoints through an interface endpoint in your virtual private cloud (VPC) instead of connecting over the internet. When you use a VPC interface endpoint, communication between your VPC and the Amazon WorkSpaces API endpoint is conducted entirely and securely within the AWS network.


This feature can be used only for connecting to WorkSpaces API endpoints. To connect to WorkSpaces using the WorkSpaces clients, internet connectivity is required, as described in IP address and port requirements for WorkSpaces.

The Amazon WorkSpaces API endpoints support Amazon Virtual Private Cloud (Amazon VPC) interface endpoints that are powered by AWS PrivateLink. Each VPC endpoint is represented by one or more network interfaces (also known as elastic network interfaces, or ENIs) with private IP addresses in your VPC subnets.

The VPC interface endpoint connects your VPC directly to the Amazon WorkSpaces API endpoint without an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. The instances in your VPC don't need public IP addresses to communicate with the Amazon WorkSpaces API endpoint.

You can create an interface endpoint to connect to Amazon WorkSpaces with either the AWS Management Console or AWS Command Line Interface (AWS CLI) commands. For instructions, see Creating an Interface Endpoint.

After you have created a VPC endpoint, you can use the following example CLI commands that use the endpoint-url parameter to specify interface endpoints to the Amazon WorkSpaces API endpoint:

aws workspaces copy-workspace-image --endpoint-url aws workspaces delete-workspace-image --endpoint-url aws workspaces describe-workspace-bundles --endpoint-url \ --endpoint-name Endpoint_Name \ --body "Endpoint_Body" \ --content-type "Content_Type" \ Output_File

If you enable private DNS hostnames for your VPC endpoint, you don't need to specify the endpoint URL. The Amazon WorkSpaces API DNS hostname that the CLI and Amazon WorkSpaces SDK use by default ( resolves to your VPC endpoint.

The Amazon WorkSpaces API endpoint supports VPC endpoints in all AWS Regions where both Amazon VPC and Amazon WorkSpaces are available. Amazon WorkSpaces supports making calls to all of its public APIs inside your VPC.

To learn more about AWS PrivateLink, see the AWS PrivateLink documentation. For the price of VPC endpoints, see VPC Pricing. To learn more about VPC and endpoints, see Amazon VPC.

To see a list of Amazon WorkSpaces API endpoints by Region, see WorkSpaces API Endpoints.


Amazon WorkSpaces API endpoints with AWS PrivateLink are not supported for Federal Information Processing Standard (FIPS) Amazon WorkSpaces API endpoints.

You can create a policy for Amazon VPC endpoints for Amazon WorkSpaces to specify the following:

  • The principal that can perform actions.

  • The actions that can be performed.

  • The resources on which actions can be performed.

For more information, see Controlling Access to Services with VPC Endpoints in the Amazon VPC User Guide.


VPC endpoint policies aren't supported for Federal Information Processing Standard (FIPS) Amazon WorkSpaces endpoints.

The following example VPC endpoint policy specifies that all users who have access to the VPC interface endpoint are allowed to invoke the Amazon WorkSpaces hosted endpoint named ws-f9abcdefg.

{ "Statement": [ { "Action": "workspaces:*", "Effect": "Allow", "Resource": "arn:aws:workspaces:us-west-2:1234567891011:workspace/ws-f9abcdefg", "Principal": "*" } ] }

In this example, the following actions are denied:

  • Invoking Amazon WorkSpaces hosted endpoints other than ws-f9abcdefg.

  • Performing an action on any resource besides the one specified (WorkSpace ID: ws-f9abcdefg).


In this example, users can still take other Amazon WorkSpaces API actions from outside the VPC. To restrict API calls to those from within the VPC, see Identity and access management for WorkSpaces for information about using identity-based policies to control access to Amazon WorkSpaces API endpoints.

To call the Amazon WorkSpaces API through your VPC, you have to connect from an instance that is inside the VPC, or connect your private network to your VPC by using AWS Virtual Private Network (AWS VPN) or AWS Direct Connect. For information, see VPN Connections in the Amazon Virtual Private Cloud User Guide. For information about AWS Direct Connect, see Creating a Connection in the AWS Direct Connect User Guide.