AWS Workspaces - How can I disable upload of a file from Workspace to any internet site or web

Hello.

It may be possible to do so by setting the WorkSpaces security group's outbound rules to disallow communication from sources other than Active Directory.
https://docs.aws.amazon.com/workspaces/latest/adminguide/amazon-workspaces-security-groups.html

Granular Data Leakage Prevention settings would need the use of a third party security tool designed specifically to do such a job. Most networking solutions would block a site rather than deny a specific function within a site.

Thanks for the input.

Are there any ideal cloud DLP solutions that work well for AWS workspaces? I have a need for a few workspaces and not a big operation or not a big enterprise-type DLP solution.

My requirement is to allow downloads and internet browsing but disable uploads.

From a network perspective, uploads and downloads are pretty much the same thing. In both cases, the client (Workspaces in this case) initiates a connection to some external server/application and then sends and receives data. The biggest difference between a download and an upload is that a download generally has more data flowing to the client; an upload generally has more data flowing from the client. A security group or other networking control will not help here.

Therefore, you need a host-based solution which you would install on the Workspaces instance that controls the actions of the user. From your perspective, a Workspaces instance is just a Windows (or Linux!) machine; so you will need to find a third-party tool which will cover the use cases you've mentioned - email, third-party file storage and (I expect) browser-based uploads. I'm not sure that this is an easy thing to do as the tool in question will need to scan the behaviour of many different applications (and therefore the user) in the process.

However, you don't need to look for "cloud" specific solutions - as above; Workspaces instances are running standard operating systems.