By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Can I set a security group for each workspace that is launched?

0

Can I set a security group for each workspace that is launched? 1 workspace has security group A, and another workspace has security group B.

2 Answers
1

Hi,

When you register a directory with WorkSpaces, it creates two security groups, one for directory controllers and another for WorkSpaces in the directory. The security group for directory controllers has a name that consists of the directory identifier followed by **_controllers **(for example, d-12345678e1_controllers). The security group for WorkSpaces has a name that consists of the directory identifier followed by _workspacesMembers (for example, d-123456fc11_workspacesMembers).

You can add a default WorkSpaces security group to a WorkSpaces directory. After you associate a new security group with a WorkSpaces directory, new WorkSpaces that you launch or existing WorkSpaces that you rebuild will have the new security group. When you associate multiple security groups with a WorkSpaces directory, the rules from each security group are effectively aggregated to create one set of rules.

To add a security group to an existing WorkSpace without rebuilding it, you assign the new security group to the elastic network interface (ENI) of the WorkSpace. Security Groups

You can use the Amazon WorkSpaces API to programmatically launch the WorkSpaces, find the ENI assigned, and assign security groups to the ENI belonging to the WorkSpace. In your example you can use the API to launch 1 workspace has security group A attached to ENI, and launch another workspace and assign security group B to the ENI.

profile pictureAWS
EXPERT
answered 3 years ago
0

Hi, just to elaborate on this sentence: "When you associate multiple security groups with a WorkSpaces directory, the rules from each security group are effectively aggregated to create one set of rules."

This sentence is found in the public documentation here: https://docs.aws.amazon.com/workspaces/latest/adminguide/amazon-workspaces-security-groups.html

However, when using an AWS Managed Microsoft Directory Service as my directory for AWS WorkSpaces, I was only able to associate 1 Security Group to the AWS Workspaces Directory at a time using the web console. (Have not tested CLI but assume its the same)

It is possible to have multiple security groups attached to the ENI of the workspace itself but I was not able to attach multiple security groups to the domain controller ENI of the AWS managed directory service.

Drop down list allowing 1 selection of security group to be chosen: Enter image description here

Notice there are no checkboxes or multi select options above.

When bypassing the workspaces web console itself and attempting to add an additional security groups to the AWS Microsoft directory service ENI directly using the EC2, Network Interfaces console, I got this error: Enter image description here

This feedback has been sent to the AWS documentation team, for review.

profile pictureAWS
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions