By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

What is Best Practice configuration for a SECURE single user WorkSpaces VPC?

0

I am a one-person business looking to set up a simple VPC for access to a virtual Windows desktop when I travel from the US to Europe. My trips are 1-3 months in duration, and I'd like to carry just my iPad or a Chromebook rather than a full laptop. This is easier and more secure if my desktop is in the AWS cloud.

I am a bit of a network novice and my prior experience with AWS has been only with S3 buckets. From reading the AWS docs, I have learned how to create a VPC, with subnets and a Simple AD. I can spin up a workspace and access it. However, I am unsure about what additional steps, if any, I should take to secure my WorkSpaces environment.

I am using public subnets without a NAT Gateway, because I only need one workspace image and would like to avoid paying $35+ per month for the NAT just to address one image. I know that one of the side benefits of using a NAT Gateway is that I get a degree of isolation from the Internet because any images behind a NAT Gateway would not be directly reachable from the Internet. However, in my case, my workspace image has an assigned IP and is not behind a NAT Gateway.

My questions are:

  1. Am I taking unreasonable risks by placing my WorkSpaces in a public subnet, i.e., by not using a NAT Gateway?
  2. Should I restrict access using Security Group rules, and if so, how?
  3. Are there other steps I should take to improve the security of my VPC?

I want to access my WorkSpace using an iPad, so I can't use certificate-based authentication. I don't know if I could easily use IP restriction, because I don't know in advance the IP range I would be in when I travel. PLUS, as you can probably tell, I'm confused about what I need to secure - the workspace image, my Simple Directory instance, or both?

I'm having a hard time finding guidance in the AWS documentation, because much of the docs are oriented toward corporate use cases, which is understandable. The "getting started" documentation is excellent but doesn't seem to touch on my questions.

Thanks in advance for any answers or documentation sources you provide!

Topics
End User ComputingNetworking & Content DeliveryAWS Well-Architected Framework
Tags
Amazon WorkSpacesAmazon VPCSecuritySecurity Group
Language
English
AWS-User-8794650
asked 2 years ago325 views
3 Answers
2

There is a lot to unpack here. First, it is good that you are considering the security implications. If you are concerned about authentication please see this article: Integrating FreeRADIUS MFA with Amazon WorkSpaces

There is the option of creating IP Access Control Groups with Workspaces. This would require you setup some sort of VPN from your client so that you are always coming from a known IP address space.

Please refer to the Workspaces Network Overview for additional information.

Hope this helps...

profile pictureAWS
EXPERT
Michael_S
answered 2 years ago
  • AWS-User-8794650
    2 years ago

    Thank you for your reply.

    I am starting to look at the IP Access Control Group feature. Am I correct in the understanding that this feature only restricts the IP ranges associated with the authentication of my client? In other words, the workspaces in my public subnet are not protected by Access Control?

    I understand that the default WorkSpaces Security Group, which has no inbound access rules (i.e., is implicitly DENY ALL), is protecting my WorkSpaces. Is that the correct way to look at this?

1
  • Am I taking unreasonable risks by placing my WorkSpaces in a public subnet, i.e., by not using a NAT Gateway? - Its not an unreasonable risk. There's guidance on both methods - https://aws.amazon.com/premiumsupport/knowledge-center/workspaces-enable-internet/. A WorkSpace has two network interfaces. One that is managed, and is used to connect to your WorkSpace ; and another that is in your VPC, and you have control over.

  • Should I restrict access using Security Group rules, and if so, how? For the security group assigned to your WorkSpace there should be no need for inbound traffic. I'd not advise IP Security Groups here; you'd be adding additional cost and complexity. It's a good recommendation to include multi-factor authentication to launch a WorkSpaces, yet consider there'll need to be services running to support this.

  • Are there other steps I should take to improve the security of my VPC? There's a best practices guide https://docs.aws.amazon.com/vpc/latest/userguide/vpc-security-best-practices.html ..

There are partners that are offering managed WorkSpaces environmnets - tehama.io for example - to manage the service components for you.

AWS
EXPERT
Andrew_W
answered 2 years ago
0

There is a whole section on security considerations - https://docs.aws.amazon.com/whitepapers/latest/best-practices-deploying-amazon-workspaces/security.html

Please take a look at this as well.

AWS
AWS-User-7678631
answered 2 years ago
  • AWS-User-8794650
    2 years ago

    Thank you, but as I pointed out in my original post, I have been using the AWS docs and still have questions.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content