Amazon WorkSpaces

Amazon WorkSpaces is a Desktop as a Service (DaaS) offering that provides a Windows or Linux workstation hosted and managed by AWS in the customer’s VPC. It leverages PCoIP technology (rather than Remote Desktop Protocol) for better screen refresh.

From the AWS Service Description:

Amazon WorkSpaces is a managed, secure Desktop-as-a-Service (DaaS) solution. You can use Amazon WorkSpaces to provision either Windows or Linux desktops in just a few minutes and quickly scale to provide thousands of desktops to workers across the globe. You can pay either monthly or hourly, just for the WorkSpaces you launch, which helps you save money when compared to traditional desktops and on-premises VDI solutions. Amazon WorkSpaces helps you eliminate the complexity in managing hardware inventory, OS versions and patches, and Virtual Desktop Infrastructure (VDI), which helps simplify your desktop delivery strategy. (source)

Amazon WorkSpaces can be a great security solution for accessing sensitive data in AWS, where you want a very locked-down environment, but users need to interact with the data. Consider data-scientists working on a large PII dataset. By leveraging WorkSpaces, the PII data can remain in AWS, while only the pixels of the screen are exported.

Service Summary

Service Name: Amazon WorkSpaces
Service Family: End User Computing
Supports Resource Policies: No
Service Pricing: Not Free
Service Webpage: https://aws.amazon.com/workspaces/

Security Risks

The greatest risk in infosec these days is the users, and this service is designed to give end-users the ability to run their own workstation. This can either harm or improve your organization’s security posture.

As the security team, you need to define the minimal acceptable configuration for WorkSpaces. What Agents, EDR, AV, etc are required? Does all internet egress need to traverse a z-scaler like proxy filter? Are these considered workstations (fixed in the office) or end-user mobile devices (laptops that fire up at Starbucks)? Apply your network and OS-level controls appropriately.

Amazon WorkSpaces has its own client you need to download to access the machine.

There is a direct integration to Amazon WorkDocs, which could pose a DLP risk to your organization.

Amazon Linux Workspace users are granted full sudo by default

Securely Leveraging WorkSpaces

WorkSpaces has a few security features to know about.

1. Authentication to the WorkSpace console requires some form of Amazon AD be configured. This can be the proxy, fully managed, or simple AD variety. To effectively and securely leverage WorkSpaces, you need to architect your AD-in-AWS-story.
2. MFA can be enabled via your local Radius server
3. Access control can be IP based using IP Access Control Groups or via digital certificates.
4. Workspaces also have security groups which can be attached to the instance for use in talking to other VPC-based resources
5. The PCoIP protocol from Teradici is fully encrypted.

Suggested Compliance Rules around WorkSpaces

1. Require managed identity and MFA.
2. Consider IP Access Controls if feasible
3. Define your minimum OS baseline requirements for Workspaces
4. WorkSpaces should be joined to a managed AD domain and receive corporate policies via GPO
5. All WorkSpaces volumes should be encrypted with KMS keys
6. All WorkSpaces must launch from an InfoSec approved image

CloudTrail events of significance

WorkSpaces CloudTrail events have "eventSource" : "workspaces.amazonaws.com"

• AssociateIpGroups
• AuthorizeIpRules
• CreateIpGroup
• CreateWorkspaces
• DeleteIpGroup
• RegisterWorkspaceDirectory - Registers the directory used for authentication. Indicator someone is deploying WorkSpaces
• RevokeIpRules
• UpdateRulesOfIpGroup