As part of a talk I’m doing with Boston based Workbar. I’ve written an FAQ on Amazon Workspaces.

Sign up here

What is Workspaces?

Workspaces is a Desktop as a Service (Daas) solution from Amazon Web Services. Its a hosted desktop in the cloud made for the enterprise. It allows end users to connect to Windows and Linux desktops from their own devices and allows IT to create and manage a fleet of machines and installed applications.

Why would I need this?

  • Some potential use-cases
  • Enable “BYOD” without giving any connectivity to company resources
  • Get contractors or employees setup without having to mail them a laptop
  • Get back to work if your computer breaks
  • Manage and support a single type of “hardware”.
  • Giving employees an environment that complies to your or your client’s standards

What do I need to get started

You’ll need:

  • An AWS account
  • A workspaces client (currently runs on mac, chromebook, windows, android, web and linux)
  • An Active Directory (if you don’t have your own you can use the wizard to create a simple AD)
  • A virtual private network (VPC) which is a network in the cloud. If you don’t have one you can use the wizard for this as well

How much does this cost

Depends, right now Amazon is having a promotion where the first 50 or so users (on basic hardware) are free. You’ll still need to pay for your networking components (~$35/month if you don’t already have it setup) and some sort of AD (simple AD or a connector to your existing AD also costs ~$35 /month). Also make sure you read the fine print, not all configurations are covered. More here:

After the promotion ends for the regular (non graphics) workspaces, you’re looking at $25-$40 per month per workspace if it’s always running or $8-$15 per month + $0.25-$0.80/hr for hourly billed workspaces.

How can I set this up?

Amazon has a great tutorial here:

If you have any additional questions feel free to ask one of us or someone in our community

Any other tips?

Sure, I shamelessly stole these from our company confluence (thanks Nate!)

  • Limits
    • Default limit is 15, make sure you request an increase before you hit the limit
  • Networking
    • Recommended best practice is a separate VPC for WorkSpaces.  This VPC can contain the Managed AD if it’s not otherwise being used.
    • Managed AD can be in the same VPC but should be in a separate subnet.  Use AD connector in the WorkSpaces subnets.
    • IMPORTANT: When you register your directory with WorkSpaces, be SURE to select the same subnets as the AD connector.  There are no “best practices” options in which the WorkSpaces are in different subnets from the AD connector. This WILL come back to bite you if you mess it up.
    • If you provision WorkSpaces in a private subnet, turn off “Access to Internet” in the directory options.  It doesn’t hurt anything but we all need to be good Internet citizens and not use IPv4 addresses that we’re not using.
    • You can create a SG just for WorkSpaces but need to modify the directory properties to use it
  • Security
    • There are a ton of options in the Directory settings of WorkSpaces console.  Most are pretty loose by default
    • Encrypted WorkSpaces cannot be used to create a new image!  If you intend to have a practice of periodically updating the image then keep an unencrypted copy.
    • It costs nothing to encrypt WorkSpaces but can’t be done after the fact.  Conversely it can’t be un-done.
    • If you want to use a KMS CMK then you need to give permissions to the WorkSpaces service to use it.  Check the docs.
    • If you want to implement MFA, it needs to be done via AD Connector and RADIUS.  No Simple AD, no Managed AD.
Posted in

Jake Berkowsky

Leave a Comment


Capital One and EC2 Hack – an Overview

By Nate Aiman-Smith | August 5, 2019 |

There’s been a ton of coverage of the recently discovered Capital One breach. I’m generally very skeptical when AWS security makes the news; so far, most “breaches” have been a result of the customer implementing AWS services in an insecure manner, usually by allowing unrestricted internet access and often overriding defaults to remove safeguards (I’m looking at you, NICE and Accenture and Dow Jones!).  Occasionally, a discovered “AWS vulnerability” impacts a large number of applications in AWS – and it also impacts any similarly-configured applications that are *not* in AWS (see, for example, this PR piece…um,…

Read More