How do I control access to my WorkSpaces?

3 minute read

I want to set access controls in Amazon WorkSpaces so that only specific devices and IP addresses can access the WorkSpaces.

Resolution

You can manage WorkSpaces access with access control options and IP address access control groups.

Access control options

Use access control options to restrict access to your WorkSpace. Specify the operating systems (OSs) and root certificates for your trusted devices.

You must have an internal certificate authority (CA), and provide the following certificates:

A root certificate that's generated by an internal CA for the WorkSpaces directory.
An installed client certificate that links to a root certificate for the client device.

For information about how to create and deploy certificates in WorkSpaces, see Restrict access to trusted devices for WorkSpaces Personal.

IP address access control groups

Create an IP address access control group to restrict access based on the public IP address ranges that are allowed to connect to the WorkSpace. The allowed IP address ranges are managed with groups that you create in the IP address access control group's navigation pane.

Important: Make sure that your IP address access control groups contain rules. An empty IP address access control group that's assigned to directories might cause connectivity issues for all users that access the WorkSpace.

The following limitations apply to IP address access control groups:

Up to 25 IP address access control groups are allowed with a single directory.
100 IP address access control groups are allowed in each AWS Region.
If your users access their WorkSpaces through a NAT gateway or VPN, then create rules that allow traffic from the public IP addresses.
If you use a NAT, then configure the NAT to use a static IP address instead of a dynamic IP address.

For more information, see IP address access control groups for WorkSpaces Personal.

Note: To find the public IP address of a user, use http://checkip.amazonaws.com/.

WorkSpaces client IP address

You can use Amazon EventBridge to monitor your WorkSpaces and get the WAN IP address where users are logged in from. To get the IP address, create a rule to handle WorkSpaces events and check the clientIPAddress field for the WAN IP address.

Related information

How do I determine the public IP address that my WorkSpace uses when I browse the internet?

IP address and port requirements for WorkSpaces Personal

Troubleshoot issues for WorkSpaces Personal

Integrate SAML 2.0 with WorkSpaces Personal

Topics: End User Computing Compute
Tags: Windows Amazon WorkSpaces
Language: English

AWS OFFICIALUpdated 2 years ago

1 Comment

Thank you for this article! In addition, I've created a Python command line utility to manage IP Access Control Groups programmatically. It is a manager for create, read, update and delete operations, for IP access control on AWS directories. See: https://simplefactory.substack.com/p/amazon-workspaces-ip-acg-acgenius

thomrommens

replied a year ago

Relevant content

Guidance for Controlling User Access to a Shared EFS File System to Ensure Isolated File Shares with Workspaces
Daniel Grayburn
asked 2 years ago
Workspaces IP Access Control Groups
Accepted Answer
IcarusAWS
asked 4 years ago
Certificate access control to AWS WorkSpaces no longer works
Lev
asked 2 years ago
remote control for more than two workspace
Accepted Answer
rePost-User-9408196
asked 3 years ago
Using Amazon service control policy to restrict Amazon Workspaces with encypted volumes
Accepted Answer
Phil_S
asked 6 years ago
How do I restrict internet access on WorkSpaces Personal?
AWS OFFICIALUpdated 2 years ago
Why can't I use the WorkSpaces client to access my Linux or Ubuntu WorkSpace?
AWS OFFICIALUpdated a year ago
How can I access the internet from my WorkSpace?
AWS OFFICIALUpdated 2 years ago
Why can't I use the WorkSpaces client to access my Windows WorkSpace?
AWS OFFICIALUpdated 2 months ago
Amazon Managed Grafana now supports network access control
EXPERT
Mengdi Chen
published 3 years ago