Can I set a security group for each workspace that is launched?

Hi,

When you register a directory with WorkSpaces, it creates two security groups, one for directory controllers and another for WorkSpaces in the directory. The security group for directory controllers has a name that consists of the directory identifier followed by **_controllers **(for example, d-12345678e1_controllers). The security group for WorkSpaces has a name that consists of the directory identifier followed by _workspacesMembers (for example, d-123456fc11_workspacesMembers).

You can add a default WorkSpaces security group to a WorkSpaces directory. After you associate a new security group with a WorkSpaces directory, new WorkSpaces that you launch or existing WorkSpaces that you rebuild will have the new security group. When you associate multiple security groups with a WorkSpaces directory, the rules from each security group are effectively aggregated to create one set of rules.

To add a security group to an existing WorkSpace without rebuilding it, you assign the new security group to the elastic network interface (ENI) of the WorkSpace. Security Groups

You can use the Amazon WorkSpaces API to programmatically launch the WorkSpaces, find the ENI assigned, and assign security groups to the ENI belonging to the WorkSpace. In your example you can use the API to launch 1 workspace has security group A attached to ENI, and launch another workspace and assign security group B to the ENI.

Hi, just to elaborate on this sentence: "When you associate multiple security groups with a WorkSpaces directory, the rules from each security group are effectively aggregated to create one set of rules."

This sentence is found in the public documentation here: https://docs.aws.amazon.com/workspaces/latest/adminguide/amazon-workspaces-security-groups.html

However, when using an AWS Managed Microsoft Directory Service as my directory for AWS WorkSpaces, I was only able to associate 1 Security Group to the AWS Workspaces Directory at a time using the web console. (Have not tested CLI but assume its the same)

It is possible to have multiple security groups attached to the ENI of the workspace itself but I was not able to attach multiple security groups to the domain controller ENI of the AWS managed directory service.

Drop down list allowing 1 selection of security group to be chosen:

Notice there are no checkboxes or multi select options above.

When bypassing the workspaces web console itself and attempting to add an additional security groups to the AWS Microsoft directory service ENI directly using the EC2, Network Interfaces console, I got this error:

This feedback has been sent to the AWS documentation team, for review.