- Newest
- Most votes
- Most comments
There is a lot to unpack here. First, it is good that you are considering the security implications. If you are concerned about authentication please see this article: Integrating FreeRADIUS MFA with Amazon WorkSpaces
There is the option of creating IP Access Control Groups with Workspaces. This would require you setup some sort of VPN from your client so that you are always coming from a known IP address space.
Please refer to the Workspaces Network Overview for additional information.
Hope this helps...
-
Am I taking unreasonable risks by placing my WorkSpaces in a public subnet, i.e., by not using a NAT Gateway? - Its not an unreasonable risk. There's guidance on both methods - https://aws.amazon.com/premiumsupport/knowledge-center/workspaces-enable-internet/. A WorkSpace has two network interfaces. One that is managed, and is used to connect to your WorkSpace ; and another that is in your VPC, and you have control over.
-
Should I restrict access using Security Group rules, and if so, how? For the security group assigned to your WorkSpace there should be no need for inbound traffic. I'd not advise IP Security Groups here; you'd be adding additional cost and complexity. It's a good recommendation to include multi-factor authentication to launch a WorkSpaces, yet consider there'll need to be services running to support this.
-
Are there other steps I should take to improve the security of my VPC? There's a best practices guide https://docs.aws.amazon.com/vpc/latest/userguide/vpc-security-best-practices.html ..
There are partners that are offering managed WorkSpaces environmnets - tehama.io for example - to manage the service components for you.
There is a whole section on security considerations - https://docs.aws.amazon.com/whitepapers/latest/best-practices-deploying-amazon-workspaces/security.html
Please take a look at this as well.
Thank you, but as I pointed out in my original post, I have been using the AWS docs and still have questions.
Relevant content
- asked 2 years ago
- asked 10 months ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated a year ago
Thank you for your reply.
I am starting to look at the IP Access Control Group feature. Am I correct in the understanding that this feature only restricts the IP ranges associated with the authentication of my client? In other words, the workspaces in my public subnet are not protected by Access Control?
I understand that the default WorkSpaces Security Group, which has no inbound access rules (i.e., is implicitly DENY ALL), is protecting my WorkSpaces. Is that the correct way to look at this?