- Newest
- Most votes
- Most comments
Each Workspaces instance the you create is dedicated to you. The only shared part is that it is running as a virtual machine on a physical host but that is the same as any other EC2 instance in AWS.
Once the Workspaces instance has been created you are responsible for patching it and maintaining the security of the operating system but no-one else has access to that instance unless you explicitly give them access.
From a network perspective, you select the VPC subnets that Workspaces instances are launched in. That means that you control the network access that the Workspaces instance has. Any user applications that can access the network do so in the same way that any other EC2 instance would from that same subnet. The standard practice is to launch Workspaces instance on a private subnet and allow them to access the internet via a NAT Gateway in a public subnet in the same VPC.
You might ask how you can access your Workspaces instance from the internet if it is on a private subnet. There is a second network interface in each Workspaces instance the only carries mouse, keyboard pixel and authentication (for login) traffic. That interface is on the AWS service side and is secured by us - there is no other access allowed through that interface.
To answer your questions specifically:
a) At a VPC level you have Security Groups and any other network controls that you choose to use. On the Workspaces instance you can choose to isntall additional operating system level firewalls but be careful not to block access to that second network interface.
b) You configure the security settings on the Workspaces instance. The instance is dedicated to you (or to the user that you assign to it).
c) You are responsible for monitoring the Workspaces instance in the same way that you're responsible for any EC2 instance that you launch in line with the AWS Shared Responsibility Security Model.
Relevant content
- asked 3 years ago
- asked 2 years ago
