- Applications and Bundles
- Bring Your Own Windows 7 Licenses (BYOL)
- Amazon WorkDocs Sync
- Amazon WorkSpaces Application Manager (Amazon WAM)
- AWS Marketplace for Desktop Apps
- Clients and User Experience
- Setup and Maintenance
- Amazon CloudWatch Monitoring
- WorkSpace Printing
Amazon WorkSpaces is a managed desktop computing service in the cloud. Amazon WorkSpaces allows customers to easily provision cloud-based desktops that allow end-users to access the documents, applications and resources they need on supported devices including Windows and Mac computers, Chromebooks, iPads, Kindle Fire tablets, and Android tablets. With a few clicks in the AWS Management Console, customers can provision a high-quality cloud desktop experience for any number of users at a cost that is competitive with traditional desktops and half the cost of most Virtual Desktop Infrastructure (VDI) solutions.
Q: What is a WorkSpace?
A WorkSpace is a cloud-based replacement for a traditional desktop. A WorkSpace is available as a bundle of compute resources, storage space, and software application access that allow a user to perform day-to-day tasks just like using a traditional desktop. A user can connect to a WorkSpace from any supported device (PC, Mac, Chromebook, iPad, Kindle Fire, or Android tablets) using a free Amazon WorkSpaces client application and credentials set up by an administrator, or their existing Active Directory credentials if Amazon WorkSpaces is integrated with an existing Active Directory domain. Once the user is connected to a WorkSpace they can perform all the usual tasks they would do on a desktop computer.
Q: How can I get started with Amazon WorkSpaces?
To get started with Amazon WorkSpaces, you will need an AWS account. You can use this account to sign into the AWS Management Console and you can then quickly provision WorkSpaces for yourself and other users who might require one. To provision WorkSpaces you simply choose a WorkSpace bundle (a configuration of compute resources, storage space, and software applications) and assign it to a user. The WorkSpace will be provisioned for your user, who will receive an email with instructions for connecting to their WorkSpace.
Q: Which Amazon WorkSpaces bundles are available?
You can find the latest information on Amazon WorkSpaces bundles here.
Q: What Operating System does a WorkSpace run?
WorkSpaces provide users with the Windows 7 Experience, provided by Windows Server 2008 R2.
Q: How does a user get started with a WorkSpace once it has been provisioned?
Once a WorkSpace is provisioned, users will receive an email with instructions explaining how they can connect to their WorkSpace. If you are not integrating with an existing Active Directory, the user will have the ability to set a password. Then, the user can download for free the appropriate Amazon WorkSpaces client application for the device(s) they wish to use and can then connect to their WorkSpace. If AD Connector has been used to integrate with an existing Active Directory domain, users will use their regular Active Directory credentials.
Q: What does a user need to use a Workspace?
A user needs to have a WorkSpace provisioned for them and to have been provided with the connection instructions (which will be emailed to them, or provided by an administrator when their WorkSpace is ready), as well as a supported client device (PC, Mac, iPad, Kindle Fire, or Android tablet). Users will also need a broadband Internet connection with TCP ports 443 & 4172, and UDP port 4172 open.
Q: Once users connect to their WorkSpace can they personalize it with their favorite settings?
An administrator can control what a user can personalize in their WorkSpace. By default, users can personalize their WorkSpaces with their favorite settings for items such as wallpaper, icons, shortcuts, etc. These settings will be saved and persist until a user changes them. If an administrator wishes to lock down a WorkSpace using tools like Group Policy, this will restrict a user’s ability to personalize their WorkSpaces.
Q: Can users install applications on their WorkSpace?
By default, users are configured as local administrators of their WorkSpaces. Administrators can change this setting and can restrict users’ ability to install applications with a technology such as Group Policy.
Q: Are WorkSpaces persistent?
Yes. Each WorkSpace runs on an individual instance for the user it is assigned to. Applications and users’ documents and settings are persistent.
Q: How is a user’s data backed up?
The user volume (D:) on the WorkSpace is backed up every 12 hours. In the case of a WorkSpace failure, AWS can restore this volume from the backup. If Amazon WorkDocs Sync is enabled on a WorkSpace, the folder a user chooses to sync will be continuously backed up and stored in Amazon WorkDocs.
Q: Do users need an AWS account?
No. An AWS account is only needed to provision WorkSpaces. To connect to WorkSpaces, users will require only the information provided in the invitation email they will receive when their WorkSpace is ready.
Q: If I am located a significant distance from the region where my WorkSpaces are located, will I have a good experience using Amazon WorkSpaces?
If you are located more than 2000 miles from the regions where Amazon WorkSpaces is currently available, you can still use the service, but your experience may be less responsive. The easiest way to check performance is to use the Amazon WorkSpaces Connection Health Check Website. You can also refer to the Regional Products and Services page for details of Amazon WorkSpaces service availability by region.
Q: Are APIs supported for Amazon WorkSpaces?
Public APIs are now supported for creating and managing Amazon WorkSpaces. You can now programmatically manage WorkSpaces using public APIs. The APIs are available via the AWS CLI and SDK or learn more about the APIs in the documentation.
Q: Is there CloudTrail support with the WorkSpaces APIs?
Yes. Actions on Amazon WorkSpaces performed via the WorkSpaces APIs will be included in your CloudTrail audit logs. Note that the AWS Management Console for Amazon WorkSpaces does not use public APIs. We plan to update the console to use public APIs in the future. Once this transition is complete, all actions on Amazon WorkSpaces, via CLI, SDK and console, can be recorded in your CloudTrail audit logs.
Q: Is there Resource Permission support with the WorkSpaces APIs?
Yes. You can specify which Amazon WorkSpaces resources users can perform actions on. For details see the documentation.
Q: Do I need to use the AWS Management console to get started with Amazon WorkSpaces?
Yes. The first time set up for Amazon WorkSpaces relies on the AWS Management Console. Once you have created a directory and registered it with the Amazon WorkSpaces service, you can create and manage WorkSpaces using the Amazon WorkSpaces APIs.
Yes, as an administrator you can create a custom image from a running WorkSpace. Once you have customized a WorkSpace with your applications and settings, you can select the WorkSpace in the WorkSpaces console and select “Create Image.” This will create an image with your applications and settings. Most WorkSpace images are available within 45 minutes. See the image documentation for more detail.
Q: How do I launch a WorkSpace from a custom image?
To launch a WorkSpace from a custom image, you will first need to pair the custom image with a hardware type you want that WorkSpace to use, which results in a bundle. You can then publish this bundle through the console, then select the bundle when launching new WorkSpaces.
Q: What is the difference between a bundle and an image?
An image contains only the OS, software and settings. A bundle is a combination of both that image and the hardware from which a WorkSpace can be launched.
Q: How many custom images can I create?
As an administrator you can create up to 5 custom images per AWS account per region. Please contact us if you need a higher limit.
Q: Can I update the image in an existing bundle?
Yes. You can update an existing bundle with a new image that contains the same tier of software (for example containing the Plus software) as the original image.
Q: How do I deploy applications to my users?
You have flexibility in how you deploy the right set of applications to users. First, you chose which image type to build from, either basic or Plus, which determines the default applications that will be in the WorkSpaces. Second, you can install additional software on a WorkSpace and create a custom image which can be used to launch more WorkSpaces. For more detail see the bundle documentation.
Q: Which software can I install on a WorkSpace?
The Amazon WorkSpaces service does not have any technical restrictions on the kind of software that you can install, and any applications that are compatible with the Windows 7 experience provided by Windows Server 2008 R2 should run on your WorkSpaces. We recommend testing any software you would like to deploy on a ‘test’ WorkSpace before delivering it to more users. You are responsible for ensuring that you remain compliant with any licensing restrictions associated with any software you intend to install on a WorkSpace.
Yes, you can now bring your Windows 7 Desktop License to Amazon WorkSpaces. Amazon WorkSpaces now provides you the ability to run on physically dedicated hardware, enabling you to use your Windows 7 Desktop Operating System on Amazon WorkSpaces.
Q: What benefits are there in bringing my Windows 7 Desktop License to Amazon WorkSpaces?
You will save $4 per WorkSpace per month when you bring your own Windows 7 Desktop License to Amazon WorkSpaces. This could result in savings of up to 16% on your Amazon WorkSpaces environment. Additionally, you can now use a single golden image to manage your physical and virtual desktop deployments.
Q: What are the prerequisites for bringing my Windows 7 Desktop Licenses to Amazon WorkSpaces?
You need an active and eligible Microsoft Volume Licensing (VL) agreement with Software Assurance contracts to bring your Windows 7 Desktop License to Amazon WorkSpaces. Please consult with your Microsoft representative to confirm your eligibility in bringing your Windows 7 Desktop License to Amazon WorkSpaces.
Q: How do I get started with bringing my Windows 7 Desktop License to Amazon WorkSpaces?
In order to ensure that you have adequate dedicated capacity allocated to your account, please reach out to your AWS account manager or sales representative to get started. Additionally, you can create a Technical Support case with Amazon WorkSpaces to get started with BYOL.
Q: How will I upload my Windows 7 Desktop image to Amazon WorkSpaces?
Please use the VMImport ImportImage function to import your Windows 7 (Enterprise and Professional) image and create an Amazon Machine Image (AMI). For additional details on importing your Windows 7 desktop image, please consult our documentation here.
Q: How can I launch Amazon WorkSpaces using my Windows 7 Desktop image?
In order for you to launch Amazon WorkSpaces using your Windows 7 Desktop image, you first have to create a custom bundle with the image you imported. Once the new custom bundle has been created, you can launch WorkSpaces from that bundle through the AWS management console or using the WorkSpaces CLI or APIs.
Q: How will I activate my Windows 7 Desktop Operating System on Amazon WorkSpaces?
You can activate your Windows 7 Desktop operating system using existing or new Microsoft activation servers that are hosted in your VPC, or ones that can be reached from the VPC in which Amazon WorkSpaces are launched.
Q: Can I create a new custom image of the Windows 7 Desktop Image uploaded to WorkSpaces?
Yes. You can use the standard WorkSpaces image management functionality to further customize the Windows 7 Desktop image and save it as another WorkSpace image in your account.
Q: Can I launch WorkSpaces from a public bundle in the same directory as my Windows 7 Desktop WorkSpaces?
No. Your Windows 7 Desktop WorkSpaces are launched on physically dedicated hardware to enable you to bring your licenses to WorkSpaces. Therefore, WorkSpaces launched in a directory marked for dedicated hardware can only be from a custom bundle that has your Windows 7 Desktop image. If you wish to launch WorkSpaces from public bundles to users in the same domain, you can create a new AWS AD Connector directory that points to the same Microsoft Active Directory as your Windows 7 Desktop WorkSpaces, and launch WorkSpaces in that directory as you normally would through the AWS console or the WorkSpaces SDK and CLI.
Q: Can I bring my Windows 7 Desktop License to all regions where WorkSpaces is available?
Yes. When you communicate with your sales representative or technical support, simply specify the region(s) in which you want to launch WorkSpaces using your Windows 7 Desktop operating systems.
Q: Would I need to commit to a certain number of WorkSpaces if I want to bring Windows 7 Desktop License?
Yes. The capability to bring Windows 7 Desktop Licenses is provided to those customers who have an active enterprise agreement with Microsoft and can commit to launching 200 WorkSpaces in a region per month.
Q: How long will it take to get setup on bringing my Windows 7 Desktop License to WorkSpaces?
You should expect to be able to launch WorkSpaces using your Windows 7 Desktop operating systems with 1-2 weeks from when you reach out to your account representative or AWS technical support.
Q: Will all of my dedicated WorkSpaces launch in a single AZ?
No. WorkSpaces launched on dedicated hardware will be balanced across two AZs. You select the AZs for WorkSpaces when you create the directory in which WorkSpaces will be launched and subsequent launches of WorkSpaces are automatically load balanced across the AZs selected when you created the directory.
Q: What happens when I terminate WorkSpaces that are launched on physically dedicated hardware?
You can terminate WorkSpaces when you no longer need them. You will only be billed for the WorkSpaces that are running.
Q: What happens to WorkSpaces that are rebuilt or restarted on physically dedicated hardware?
WorkSpaces that are rebuilt or restarted can be placed on any available physical server allocated to your account. A re-start or rebuild of a WorkSpace can result in that instance being placed on a different physical server that has been allocated to your account.
Q: Which credentials do users use to sign-in to their WorkSpaces?
Users sign into their WorkSpace using their own unique credentials, which they can create after a WorkSpace has been provisioned for them. If you have integrated the Amazon WorkSpaces service with an existing Active Directory domain, users will sign in with their regular Active Directory credentials. Amazon WorkSpaces also integrates with your existing RADIUS server to enable multi-factor authentication (MFA).
Q: What is Multi-Factor Authentication (MFA)?
Multi-Factor Authentication adds an additional layer of security during the authentication process. Users must validate their identity by providing something they know (e.g. password), as well as something they have (e.g. hardware or software generated one-time password (OTP)).
Q: What delivery methods are supported for MFA?
Amazon supports OTP that are delivered via hardware and software tokens. Out of band tokens, such as SMS tokens are not currently supported.
Q: Is there support for Google Authenticator and other virtual MFA solutions?
Google Authenticator can be used in conjunction with RADIUS. If you are running a Linux-based RADIUS server, you can configure your RADIUS fleet to use Google Authenticator through a PAM (Pluggable Authentication Module) library. MFA solutions based on the TOTP (Time-based One-time Password) protocol are not currently supported.
Q: Which WorkSpaces clients support Multi-Factor Authentication (MFA)?
MFA is available with WorkSpaces clients on the following platforms - Windows, Mac OS X, Chromebooks, iOS, Kindle, and Android.
Q: What happens if a user forgets the password to access their WorkSpace?
If AD Connector is used to integrate with an existing Active Directory domain, the user would follow the existing lost password process for your existing domain, such as contacting an internal helpdesk. If the user is using credentials stored in a directory managed by the WorkSpaces service, they can reset their password by clicking on the “Forgot Password” link in the WorkSpaces client application.
Q: How will a user’s WorkSpace be patched with software updates?
You have the ability to control how patching is configured for a user’s WorkSpace. By default, Windows Update is turned on, but you have the ability to customize these settings, or use an alternative patch management approach if you desire. Third party software will be updated according to the settings of the third party software’s update mechanism that you can control.
Q: How will WorkSpaces be protected from malware/viruses?
You can install your choice of anti-virus software on your users’ WorkSpaces. The “Plus” bundle options offer users access to anti-virus software, and you can find more details on this here. If you choose to install your own anti-virus software, please ensure that it does not block UDP port 4172, as this will prevent users connecting to their WorkSpaces.
Q: How do I remove a user’s access to a WorkSpace?
To remove a user’s access to a WorkSpace, you can disable their account either in the directory managed by the WorkSpaces service, or in an existing Active Directory that you have integrated the WorkSpaces service with.
Q: Does WorkSpaces work with AWS Identity and Access Management (IAM)?
Yes. Please see our documentation.
Q: Can I select the Organizational Unit (OU) where computer accounts for my WorkSpaces will be created in my Active Directory?
Yes. You can set a default Organizational Unit (OU) in which computer accounts for your WorkSpaces are created in your Active Directory. This OU can be part of the domain to which your users belong, or part of a domain that has a trust relationship with the domain to which your users belong, or part of a child domain in your directory. Please see our documentation for more details.
Q: Can I use Amazon VPC Security groups to limit access to resources (applications, databases) in my network or on the Internet from my WorkSpaces?
Yes. You can use Amazon VPC Security groups to limit access to resources in your network or the Internet from your WorkSpaces. You can select a default Amazon VPC Security Group for the WorkSpaces network interfaces in your VPC as part of the directory details on the WorkSpaces console. Please see our documentation for more details.
Yes. Amazon WorkSpaces supports root volume (C: drive) and user volume (D: drive) encryption. Amazon WorkSpaces uses EBS volumes that can be encrypted on creation of a WorkSpace, providing encryption for data stored at rest, disk I/O to the volume, and snapshots created from the volume. Amazon WorkSpaces integrates with the AWS KMS service to allow you to specify the keys you want to use to encrypt the volumes.
Q: Which Amazon WorkSpace bundle types will support encryption?
Encryption is supported on all Amazon WorkSpaces hardware and software bundle types. This includes the Value, Standard, Performance bundles along with their associated “Plus” bundles. Additionally, any custom bundles will also support encryption.
Q: How can I encrypt a new WorkSpace?
When creating a new WorkSpace from the console or the Amazon WorkSpaces APIs, you will have the option to specify which volume(s) you want encrypted along with a key ARN from your KMS keys for encryption. Note that during the launch of a WorkSpace you can specify whether you want encryption for the user volume, root volume or both volumes, and the key provided will be used to encrypt the volumes specified.
Q: Can I use different keys to encrypt the root and user volumes of a WorkSpace?
The root and user volumes are encrypted using a single key.
Q: Do I need to provide a new KMS key for each WorkSpace that I want to encrypt?
You can use the same KMS key to encrypt the volumes of up to 30 Amazon WorkSpaces.
Q: Can Amazon WorkSpaces create a KMS key on my behalf?
Amazon WorkSpaces creates a default master key upon your first attempt to launch a WorkSpace through the AWS management console. You cannot manage the lifecycle of default master keys. To control the full lifecycle of a key, configure WorkSpaces to use a KMS custom customer master key (CMK). To create a KMS custom CMK, visit the KMS console or use KMS APIs to create your own keys. Note that you can use a default key generated by KMS for your WorkSpaces which will be made available to you on your first attempt to launch Amazon WorkSpaces with encryption through the AWS management console.
Q: What are the prerequisites for using KMS keys to encrypt Amazon WorkSpaces?
In order to use KMS keys to encrypt Amazon WorkSpaces, the key must not be disabled, and should not have exceeded its limits (learn more about limits here). You also need to have the correct permissions and policies associated with the key to use it for encryption. To learn more about the correct permissions and policies needed on the keys, please refer to our documentation here.
Q: How will I be notified if my KMS key does not meet the pre-requisites outlined above?
When you launch a new WorkSpace with the key specified, the WorkSpaces service will verify if the key is valid and eligible to be used for encryption. If the key is not valid, the launch process will fail quickly and notify you of the error associated with the key. Please note that if you change the key settings while the WorkSpace is being created, there is a chance that provisioning will fail and you will be notified of this failure through the AWS management console or through the DescribeWorkSpaces API call.
Q: How will I be able to tell which WorkSpaces are encrypted and which ones are not?
You will be able to see if a WorkSpace is encrypted or not from the AWS Management Console or using the Amazon WorkSpaces API. In addition to that, you will also be able to tell which volume(s) on the WorkSpace were encrypted, and the key ARN that was used to encrypt the WorkSpace. For example, the DescribeWorkSpaces API call will return information about which volumes (user and/or root) are encrypted and the key ARN that was used to encrypt the WorkSpace.
Q: Can I enable encryption of volumes on a running WorkSpace?
Encryption of WorkSpaces is only supported during the creation/launch of a WorkSpace.
Q: What happens to a running WorkSpace when I disable the key in the KMS console?
A running WorkSpace will not be impacted if you disable the KMS key that was used to encrypt the user volume of the WorkSpace. Users will be able to login and use the WorkSpace without interruption. However, restarts and rebuilds of WorkSpaces that were encrypted using a KMS key that has been disabled (or the permissions/policies on the key have been modified) will fail. If the key is re-enabled and/or the correct permissions/policies are restored, restarts and rebuilds of the WorkSpace will work again.
Q: Is it possible to disable encryption for a running WorkSpace?
Amazon WorkSpaces does not support disabling encryption for a running WorkSpace. Once a WorkSpace is launched with encryption enabled, it will always remain encrypted.
Q: Will snapshots of an encrypted user volume also be encrypted?
Yes. All snapshots of the user volume will be encrypted using the same key that was used to encrypt the user volume of the WorkSpace when it was created. The user volume once encrypted stays encrypted throughout its lifecycle. Please note that Amazon WorkSpaces does not take snapshots of the root volume of a running WorkSpace.
Q: Can I re-build a WorkSpace that has been encrypted?
Yes. Rebuilds of a WorkSpace will work as long as the key that was used to encrypt the WorkSpace is still valid. The WorkSpace volume(s) stay encrypted using the original key after it has been rebuilt.
Q: Can I create a custom image from a WorkSpace that has been encrypted?
Creating a custom image from a WorkSpace that is encrypted is not supported.
Q: Will the performance of my WorkSpace be impacted because the volume(s) are encrypted?
You can expect a minimum increase in latency on IOPS on encrypted volumes.
Q: Will encryption impact the launch time of a WorkSpace?
The launch time of a WorkSpace that only requires user volume encryption are similar to those of an unencrypted WorkSpace. The launch time of a WorkSpace that requires root volume encrypt will take several more minutes.
Q: Will encryption be supported for BYOL WorkSpaces?
Yes. Amazon WorkSpaces will support encryption for BYOL WorkSpaces.
Q: Will I be able to use the same KMS key to encrypt Amazon WorkSpaces in a different region?
No. Encrypted resources in one region cannot be used in a different region, because a KMS key belongs to the region in which it was created.
Q: Is there a charge for encrypting volumes on Amazon WorkSpaces?
There is no additional charge for encrypting volumes on WorkSpaces, however you will have to pay standard KMS charges for KMS API requests and any custom CMKs that are used to encrypt WorkSpaces. Please see KMS pricing here. Please note that the Amazon WorkSpaces services makes a maximum of five API calls to the KMS service upon launching, restarting or rebuilding a single WorkSpace.
Q: Can I rotate my KMS keys?
Yes. You can use KMS to rotate your custom CMKs. You can configure a custom CMK that you create to be automatically rotated by KMS on an annual basis. There is no impact to WorkSpaces encrypted before the CMK rotation, they will work as expected.
Q: What is Amazon WorkDocs Sync?
Amazon WorkDocs Sync (formerly WorkSpaces Sync) is a client application that you can install in a WorkSpace that you launch, which continuously, automatically, and securely backs up documents from a WorkSpace to Amazon WorkDocs. You can also install Amazon WorkDocs Sync on a Mac or PC to sync documents to or from a WorkSpace so that users can always have access to their data regardless of the desktop computer you are using. When a WorkSpace is launched, users will have a link on their desktop so that they can install Amazon WorkDocs Sync. The client can be downloaded here.
Q: Can I enable or disable Amazon WorkDocs Sync for a user’s WorkSpace?
When you create a directory, or use AD Connector to integrate with an existing Active Directory, you can choose to enable or disable Amazon WorkDocs Sync for that directory. Currently you cannot enable or disable Amazon WorkDocs Sync on a per-user basis.
Q: How do I synchronize documents between a WorkSpace and a Mac or Windows client?
To enable synchronization, all you need to do is install Amazon WorkDocs Sync on both the WorkSpace itself, and the Mac or Windows client you would like to synchronize with. On the Mac or Windows and the WorkSpace, you choose which folder you want to synchronize and Amazon WorkDocs Sync will automatically keep the folders in sync.
Q: Is Single Sign-On (SSO) supported?
Yes. Single Sign-On (SSO) can be enabled so that when users are signed in to their Amazon WorkSpace they will be automatically signed in to their WorkDocs Sync client, and will not be required to provide credentials when they access the web client from their Amazon WorkSpace. You can enable SSO by visiting the AWS Directory Service area of the AWS console, clicking the directory ID link for your directory and selecting the Apps & Services tab. For more information and detailed setup see our documentation.
Q: What is Amazon WorkSpaces Application Manager?
Amazon WorkSpaces Application Manager (Amazon WAM) offers a fast, flexible, and secure way for you to deploy and manage applications for Amazon WorkSpaces. Amazon WAM accelerates software deployment, upgrades, patching, and retirement by packaging Microsoft Windows desktop applications into virtualized application containers that run as though they are natively installed.
Q: How are Amazon WAM applications delivered to users?
Amazon WAM delivers desktop apps to users' WorkSpaces as virtualized app containers using a unique cloud delivery technology. The applications execute on a WorkSpace from within the virtualized container and provide performance similar to natively-installed applications.
Q: How can I get started with Amazon WAM?
To get started with Amazon WAM, select your level of subscription (Lite/Standard,) build an application catalog in the AWS Management Console and assign applications to Amazon WorkSpaces users. You can build an application catalog using applications for which you own licenses, proprietary applications built in-house, and applications from the AWS Marketplace for Desktop Apps.
After your catalog is available, you can use the AWS Management Console to assign applications from the catalog to your Amazon WorkSpaces users. Applications from the catalog can be made required or optional. Required applications are automatically installed on the appropriate WorkSpaces; optional applications are made available to users for on-demand installation.
Q: How do I upload my applications to Amazon WAM?
You can package your applications using the Amazon WAM Studio, validate using the Amazon WAM Player, and then upload your applications to Amazon WAM. For more information, see the Amazon WAM User Guide on packaging and validating.
Q: What type of applications can be delivered using Amazon WAM?
Any application compatible with Microsoft Windows 7, Microsoft Windows 8, Microsoft Windows Server 2008 R2, and Microsoft Windows Server 2012 can be delivered to WorkSpaces using Amazon WAM. Both 32-bit and 64-bit applications are supported.
Q: Can I track application use with Amazon WAM?
You can track usage for any applications assigned to users.
Q: Which AWS regions does Amazon WAM support?
Amazon WAM is currently available in the US East (N. Virginia), US West (Oregon), and EU (Ireland) AWS regions.
Q: Do WorkSpaces need Internet access to use Amazon WAM?
Yes. WorkSpaces need an Internet connection to receive applications via Amazon WAM.
Q: How do I get Amazon WAM on my users’ WorkSpaces?
The Amazon WAM desktop app can be installed on your users' WorkSpaces via a desktop shortcut on WorkSpaces provisioned in the US East (N. Virginia), US West (Oregon), and EU (Ireland) AWS regions. The desktop shortcut will be available on WorkSpaces created after April 9th, 2015. Existing WorkSpaces can be restarted via the Start menu on the WorkSpace or rebooted via the console to enable the Amazon WAM desktop shortcut.
Q: How do end users access applications that are assigned using Amazon WAM?
Users can open the Amazon WAM desktop app and see all the applications available to them. You can set up applications to be required or optional. Required applications are automatically installed on user's WorkSpace, and optional applications can be installed via the Amazon WAM desktop app. For more information about the Amazon WAM desktop app, see the Amazon WAM User Guide.
Q: How many applications can I add to my Amazon WAM catalog?
There is no limit to the number of applications you can add to your Amazon WAM catalog. However, storage charges apply to applications that you upload to Amazon WAM, after the first 100 GB of storage used for your applications.
Q: How many applications can I deliver to each Amazon WorkSpaces user via Amazon WAM?
You can assign up to 50 applications to each WorkSpaces user.
Q: How will I be billed for Amazon WAM?
The Lite plan is available at no cost, and the Standard plan costs $5/user/month for each user enrolled in the WAM Standard plan with one or more applications assigned.
In addition there may be a cost to AWS Marketplace applications that users activate.
Q: Can I have users on both the Lite and the Standard plans?
No. You can subscribe to either the Lite or Standard plan, and all users will be on the same plan.
Q: Can I change my subscription plan during the billing period?
Yes. On the “Subscription plan” page” of the WAM console you can upgrade or downgrade your plan and view the feature details for the two subscription plans. You have the opportunity to view the current usage before confirming the upgrade.
Q: What will happen to my applications if I downgrade from the Standard to the Lite plan?
Users will be moved to the most up to date version of applications from AWS Marketplace for Desktop Apps, and will lose access to any applications that you packaged and uploaded to Amazon WAM.
Q: Is there a limit for storage of my app packages?
Both the Lite and Standard plans include 100GB of storage for the apps, and S3 charges will apply for additional storage.
Q: Can I share an Amazon WAM package with another AWS account?
Yes. Packages created and approved by you within your AWS account can be shared with other AWS accounts in the same region. You can set up package sharing via the Packages tab on the Amazon WAM console by adding package permissions to the AWS account to which you wish to share the package.
Q: Can I set limits on the packages that I share with other AWS accounts?
No. At this time, you cannot place any restrictions on packages that are shared.
Q: How do I use an Amazon WAM package that is shared with me?
You can use an Amazon WAM package shared with you by creating an application and assigning the application to your users.
Q: Can I make any changes to a package that has been shared with my account?
No. A package made available to you by another AWS account cannot be modified.
Q: How do I know if I can trust a package that has been shared with my account?
Always verify that your package is shared from a trusted source. Verify the source by validating the AWS account ID and check if it is an account that you trust.
Q: Can I delete an Amazon WAM package?
Yes. You can delete an Amazon WAM package that belongs to your account within an AWS region by launching Amazon WAM Studio in your packaging instance. Once you delete a package, all versions of the package will be deleted. Also, you can only delete packages that don’t have apps assigned or have not been shared with another AWS account. If you have an application created, you will first need to delete the application before you can delete the package. If you have shared a package with another AWS account, you will first need to remove sharing of the package before deleting the package.
Q: What happens to an Amazon WAM package once it is deleted?
Once an Amazon WAM package is deleted, it will no longer be available from within your account. The package will be fully deleted once any accounts you shared the package with have deleted applications using the package.
Q: What is AWS Marketplace for Desktop Apps?
AWS Marketplace for Desktop Apps is a new category in the AWS Marketplace that can be deployed to Amazon WorkSpaces.
The AWS Marketplace for Desktop Apps includes both applications you can purchase on a monthly basis and free apps. You can find applications from developers such as Microsoft, Corel and Foxit and popular open source titles.
Q: How do I use desktop applications from AWS Marketplace?
You can subscribe to applications from the AWS Marketplace for Desktop Apps via Amazon WorkSpaces console. Start by selecting the Application Catalog in Amazon WorkSpaces console, browse and add applications from the AWS Marketplace to your application catalog. Once the applications are in your catalog you can assign the applications to your WorkSpaces users. The applications can then be accessed by users via the Amazon WorkSpaces Application Manager (Amazon WAM) desktop app.
Q: How will I be charged for applications from the AWS Marketplace for Desktop Apps?
You will be charged the price listed on AWS Marketplace for Desktop Apps for each application on a monthly subscription basis. A subscription is activated and charged the first time a user launches an application and will renew monthly until access to the application is removed for that user. Charges for an application are prorated for the remainder of the first month in which a user launches them. Subsequent months are billed for the entire month. Subscriptions that are removed in the middle of a month will not receive a refund for the remainder of the month.
Q: How do I unsubscribe from an application?
To unsubscribe from an application, simply remove the users and groups assigned to use the application. Once this is completed, the application will immediately not be available to your users and there will be no new charges for the application in the following month.
Q: Can Amazon WorkSpaces end users access the AWS Marketplace for Desktop Apps directly?
No, only the administrator of the WorkSpaces account will see the entire AWS Marketplace in the WorkSpaces console. End users will only see the applications you provisioned for them.
Q: Where can I view charges for my application subscriptions from AWS Marketplace for Desktop Apps?
You can view the charges for application subscriptions from AWS Marketplace for Desktop Apps by signing in to the AWS billing console and viewing the AWS Marketplace section in the estimate bill. You can view the applications subscribed, monthly price, and total charge for each application.
Q: How do I get support for the applications I use from AWS Marketplace for Desktop Apps?
After subscribing to the application on AWS Marketplace for Desktop Apps, you can select the application details to view support information. Expand the support information to view details on how to obtain support.
Q: Can I use any other client (e.g., an RDP client) with Amazon WorkSpaces?
No. The only supported clients for WorkSpaces are the free clients provided by AWS.
Q: Which operating systems are supported by the Amazon WorkSpaces client applications?
Amazon WorkSpaces clients are available for the following operating systems:
- Microsoft Windows 7 and Microsoft Windows 8
- Apple Mac OS X (10.8.1 and above)
- Google Chrome OS (45 and above)
Q: Which tablet devices are supported by the Amazon WorkSpaces client application?
Amazon WorkSpaces clients are available for the following devices:
- Apple iPad 2 (iOS 7.0 and above)
- Apple iPad Retina (iOS 7.0 and above)
- Kindle Fire HDX and Kindle HD 7
- Samsung and Nexus tablets (Android version 4.2 and above).
While we expect other popular Android tablets running Android version 4.2 to work correctly with the Amazon WorkSpaces client, there may be some that are not compatible. If you are interested in support for a particular device, please let us know via the Amazon WorkSpaces forum or by contacting us.
Q: Are zero clients supported by Amazon WorkSpaces?
Yes, Amazon WorkSpaces supports PC-over-IP (PCoIP) zero client devices that have the Teradici Tera2 chipset. For a complete list of zero clients that are compatible with Amazon WorkSpaces please visit the device finder here. (hosted by Teradici)
Q: What is a PCoIP zero client?
A PCoIP zero client is a single-purpose hardware device that can enable access to Amazon WorkSpaces. Zero clients include hardware optimization specifically for the PCoIP protocol, and are designed to require very little administration.
Q: Which peripherals can be used with the Amazon WorkSpaces client applications?
Amazon WorkSpaces clients support:
- Keyboard, mouse, and touch input (touch input is only supported on tablet clients)
- Audio output to client device
- Analog and USB headsets
Q: What kind of headsets can be used for audio conversations?
Most analog and USB headsets will work for audio conversations through WorkSpaces. For USB headsets, you should ensure they show up as a playback device locally on your client computer.
Q: Can I use the built in microphone and speakers for making audio calls?
Yes. For the best experience, we recommend using a headset for audio calls. However, you may experience an echo when using the built in microphone and speakers with certain communication applications.
Q: Does Audio-in work with mobile clients such as Android, iOS, and Chromebooks?
Audio-in is supported on the Windows, OSX and iOS clients.
Q: How do I enable Audio-in for my WorkSpaces?
Audio-in is enabled for all new WorkSpaces launches. For existing WorkSpaces, Audio-in can be enabled with a reboot. Enabling the WorkSpaces Audio-in capability requires local logon access inside your WorkSpace. If you have a Group Policy restricting user local logon in your WorkSpace, we will detect it and not apply the Audio-in update to the WorkSpace. You can remove the Group Policy and the Audio-in capability will be enabled after the next reboot.
Q: Should I update my custom images to take advantage of Audio-in?
Yes. We always recommend you refresh your custom images on a regular basis to take advantage of the latest features. WorkSpaces launching from custom images that have not been recently updated may take longer to be available to users. Once a WorkSpace is updated for Audio-In you can use it to create an updated custom image which will include Audio-in support by default.
Q: Does WorkSpaces support devices with high DPI screens?
Yes. The Amazon WorkSpaces desktop client application will automatically scale the in-session display to match the DPI settings of the local device. If desired, it is possible to override the automatic settings by manually selecting a DPI configuration within Windows in an Amazon WorkSpace.
Q: Are dual monitors supported?
Dual monitors are supported on the Amazon WorkSpaces clients for Windows and Mac.
Q: Will the iPad and Android applications support Keyboard/Mouse input?
The iPad client supports keyboard input, and the Android client supports both keyboard and mouse input. While we expect most popular keyboard and mouse devices to work correctly, there may be devices that may not be compatible. If you are interested in support for a particular device, please let us know via the Amazon WorkSpaces forum or by contacting us.
Q: How do I print from my WorkSpace?
If you have used AD Connector to connect to an existing Active Directory, you can configure one of your existing printers on a user’s WorkSpace, and they can continue to print as normal. Local printing is also supported.
Q. Will Amazon WorkSpaces support additional client devices and virtual desktop operating systems?
We continually review our roadmap to see what features we can add to address our customers' requirements. If there is a client device or virtual desktop operating system that you'd like Amazon WorkSpaces to support, please email us with details of your request.
Q: What is the end user experience when Multi-Factor Authentication (MFA) is enabled?
Users will be prompted for their Active Directory username and password, followed by their OTP. Once a user passes both Active Directory and RADIUS validation, they will be logged in to their Amazon WorkSpace. To learn more, visit our documentation.
Q: How can I determine the best region to run my Amazon WorkSpaces?
Amazon WorkSpaces Health Check Website compares your connection speed to each WorkSpaces region and recommend the fastest one. Please visit health.amazonworkspaces.com
Q: What languages are supported by Amazon WorkSpaces?
Amazon WorkSpaces and WorkSpace clients are currently supported in English (US) and Japanese.
Q: Does the WorkSpaces service have maintenance windows?
Yes. The current maintenance window is a four hour period from 0000 – 0400 (this time window will be based on the time zone of the AWS region where your WorkSpaces are located) each Sunday morning. During this time your WorkSpaces may not be available. The maintenance window is currently not configurable.
Q: Will my Amazon WorkSpaces require software updates?
Your Amazon WorkSpaces provide users with the Windows 7 experience, provided by Windows Server 2008 R2. The underlying OS, and any applications installed in the WorkSpace may need updates.
Q: How do I ensure my WorkSpaces are kept up to date?
For the underlying OS, Windows Update is enabled by default on WorkSpaces, and configured to install updates at 2am each Sunday. If you have chosen a “Plus” bundle that includes Microsoft Office Professional, updates for Office will also be configured to install at 2am each Sunday. You can choose to use an alternative patching approach if you require this or to configure Windows Update to perform updates at a time of your choosing. Other applications that you may install on your WorkSpace should be kept up to date using the ISV’s recommended patching techniques. In addition to OS or application updates, any software updates that are required for normal operation of the WorkSpaces service itself are also delivered automatically to your WorkSpaces. The WorkSpaces service updates will be released and installed automatically during scheduled maintenance windows (except for emergency updates, such as critical security patches, which may be released and installed at other times).
Q: What action is needed to receive updates for the WorkSpaces service?
No action is needed on your part. Updates are delivered automatically to your WorkSpaces during the maintenance window. During the maintenance window, your WorkSpaces may not be available.
Q: Can I turn off the software updates for the WorkSpaces service?
No. The WorkSpaces service requires these updates to be provided to ensure normal operation of your users’ WorkSpaces.
Q: I don’t want to have Windows Update automatically update my WorkSpaces. How can I control updates and ensure they are tested in advance?
You have full control over the Windows Update configuration in your WorkSpaces, and can use Active Directory Group Policy to configure this to meet your exact requirements. If you would like to have advance notice of patches so you can plan appropriately we recommend you refer to Microsoft Security Bulletin Advance Notification for more information.
Q: How are updates for applications installed in my WorkSpaces provided?
For all other applications, updates can be delivered via the automatic update service for each application if one is available. For applications without an automatic update service, you will need to evaluate the software vendor’s recommended updating approach and follow that if necessary.
Q: How can WorkSpaces be managed?
The WorkSpaces Management console lets you provision, reboot, rebuild, and delete WorkSpaces. To manage the underlying OS for the WorkSpaces, you can use standard Microsoft Active Directory tools such as Group Policy to manage the WorkSpaces. In the case when you have integrated WorkSpaces with an existing Active Directory domain, you can manage your WorkSpaces using the same tools and techniques you are using for your existing on-premises desktops. If you have not integrated with an existing Active Directory, you can set up a Directory Administration WorkSpace to perform management tasks. Please see the documentation for more information.
Q: What is the difference between rebooting and rebuilding a WorkSpace?
A reboot is just the same as a regular operating system (OS) reboot. A rebuild will retain the user volume on the WorkSpace (D:) but will return the WorkSpace to its original state (any changes made to the system drive (C:) will not be retained).
Q: How do I remove a WorkSpace I no longer require?
To remove a WorkSpace you no longer require, you can “delete” the Workspace. This will remove the underlying instance supporting the WorkSpace and the WorkSpace will no longer exist. Deleting a WorkSpace will also remove any data stored on the volumes attached to the WorkSpace, so please confirm you have saved any data you must keep prior to deleting a WorkSpace.
Q: Can I provide more than one Workspace per user?
No. You can currently only provide one WorkSpace for each user.
Q: How many WorkSpaces can I launch?
While there is no practical limit to the number of WorkSpaces, we have a default limit of up to 20 WorkSpaces per AWS account per region. New AWS accounts may start with limits that are lower than the limits described here. You can raise this limit by following these instructions to contact AWS.
Q: Is there a minimum number of WorkSpaces/Users I must provision?
No. There is no minimum requirement.
Q: What is the maximum network latency recommended while accessing a Workspace?
While the remoting protocol has a maximum round trip latency recommendation of 250 ms, the best user experience will be achieved at less than 100 ms.
Q: Does WorkSpaces need any Quality of Service configurations to be updated on my network?
If you wish to implement Quality of Service on your network for WorkSpaces traffic, you should prioritize WorkSpaces’ interactive video stream which is comprised of real time traffic on UDP port 4172. If possible, this traffic should be prioritized just after VoIP to provide the best user experience.
Q: Which AWS regions does Amazon WorkSpaces support?
Please refer to the to Regional Products and Services page for details of Amazon WorkSpaces service availability by region.
Q: Is MFA on WorkSpaces available in my region?
Support for MFA is available in all AWS Regions where Amazon WorkSpaces is offered.
Q: What are the prerequisites for setting up a zero client?
The zero clients should be updated to firmware version 4.6.0 (or newer), and you need to run the PCoIP Connection Manager to enable the clients to successfully connect to Amazon WorkSpaces. Please consult the WorkSpaces documentation for a step by step guide on how to properly setup the PCoIP Connection Manager, and for help on how to find and install the necessary firmware required for your zero clients
Q: How do I get support with WorkSpaces?
Q: How do I pay for WorkSpaces?
WorkSpaces are priced on a monthly subscription basis. You pay a monthly fee for each WorkSpace you launch. The monthly fee for WorkSpaces includes use of both the infrastructure (compute, storage, and bandwidth for streaming the desktop experience to the user) and the software applications listed in the bundle. In the first month a WorkSpace is active, the charges for the WorkSpace are prorated to the remainder of the month. For example, if a WorkSpace is started on the 10th of January, you will only be charged for the remaining 21 days in the month (31 – 10 = 21).
Q: How much does a WorkSpace cost?
Please see our pricing page for the latest information.
Q: Does WorkSpaces pricing include bandwidth costs?
The monthly subscription includes the streaming bandwidth between the user’s client and a WorkSpace. Web traffic from the user’s WorkSpaces (accessing public Internet, downloading files etc.) will be charged separately as AWS outbound bandwidth on your bill.
Q: How will I be charged for WorkSpaces that I launch that are based on a custom image?
There is no additional charge for WorkSpaces created from custom images. You will be charged the same as the underlying bundles on which the customized images are based.
Q: Will there be a charge for downloading WorkSpaces client applications?
The WorkSpaces client applications are provided at no additional cost, and you can install the clients on as many devices as you need to.
Q: What does Amazon WorkSpaces Application Manager (Amazon WAM) cost?
Amazon WAM is available as a lite or standard monthly subscription. The lite subscription is available at no charge; the standard subscription is currently available at no charge, but will cost $5/user/month starting July 1, 2015. Learn more about Amazon WAM >>
Q: Do I have to pay to use the Amazon WAM Studio or Amazon WAM Player?
No. There is no additional charge for using the Studio or Player. You will be charged for AWS resources such as the Amazon EC2 instance hours, EBS storage, and bandwidth when using the Studio to package your applications for Amazon WAM.
Q: What will the PCoIP Connection Manager cost?
There is no additional charge for the PCoIP Connection Manager. You only pay for the AWS resources actually used to run the software appliance.
Q: Can I use an HTTPS proxy to connect to my WorkSpaces?
Yes, you can configure a WorkSpaces Client app to use an HTTPS proxy. Please see our documentation for more information.
Q: Can I connect WorkSpaces to my VPC?
Yes. The first time you connect to the WorkSpaces Management Console, you can choose an easy ‘getting started’ link that will create a new VPC and two associated subnets for you as well as an Internet Gateway and a directory to contain your users. If you choose to access the console directly, you can choose which of your VPCs your WorkSpaces will connect to. If you have a VPC with a VPN connection back to your on-premises network, then your WorkSpaces will be able to communicate with your on-premises network (you retain the usual control you have over network access within your VPC using all of the normal configuration options such as security groups, network ACLS, and routing tables).
Q: Can I connect to my existing Active Directory with my WorkSpaces?
Yes. You can use AD Connector to integrate with your existing Active Directory. When you do this, users can use their existing Active Directory credentials to connect to their WorkSpaces, and the WorkSpaces you launch will join your existing Active Directory. This means you can manage them with the same tools you’re used to using for managing other computers in your organization.
Q: Will my WorkSpaces be able to connect to the Internet to browse websites, download applications, etc?
Yes. You have full control over how your WorkSpaces connect to the Internet based on regular VPC configuration. Depending on what your requirements are you can either deploy a NAT instance for Internet access, assign an Elastic IP Address (EIP) to the Elastic Network Interface (ENI) associated with the WorkSpace, or your WorkSpaces can access the Internet by utilizing the connection back to your on-premises network.
Q: Can my WorkSpaces connect to my applications that are running in Amazon EC2 such as a file server?
Yes. Your WorkSpaces can connect to applications such as a fileserver running in Amazon EC2 (both “Classic” and VPC networking environments). All you need to do is ensure appropriate route table entries, security groups and network ACLs are configured so that the WorkSpaces can reach the EC2 resources you would like them to be able to connect to.
Q: What are the pre-requisites for enabling MFA on WorkSpaces?
To enable MFA on WorkSpaces, you will need to configure AD Connector, and have an on-premises RADIUS server(s). Your on-premises network must allow inbound traffic over the default RADIUS server port (1812) from the AD Connector server(s). Additionally, you must ensure that usernames match between Active Directory and your RADIUS server. To learn more, visit our documention.
Q: Do I need to set-up a directory to use the WorkSpaces service?
Each user you provision a WorkSpace for needs to exist in a directory, but you do not have to provision a directory yourself. You can either have the WorkSpaces service create and manage a directory for you and have users in that directory created when you provision a WorkSpace. Alternatively, you can integrate WorkSpaces with an existing, on-premises Active Directory so that users can continue to use their existing credentials meaning that they can get seamless applications to existing applications. When you integrate with an existing Active Directory, this also means that the WorkSpaces join one of your Active Directory domains, so that you can manage them with the same tools you use to manage other computers in your directory.
Q: If I use a directory that the WorkSpaces service creates for me, can I configure or customize it?
Yes. Please see our documentation for more details.
Q: Can I apply Active Directory policies to my WorkSpaces using the directory that the WorkSpaces service creates for me?
Yes. Please see our documentation for more details.
Q: How can I integrate with an existing Active Directory?
You can integrate with an existing Active Directory by using the AD Connector feature. To enable integration you need to ensure that your domain is reachable via an Amazon Virtual Private Cloud VPC (this could mean that Active Directory domain controllers for your domain are running on Amazon EC2 instances, or that they are reachable via a VPN connection and are located in your on-premises network). You provide configuration information to the WorkSpaces service such as DNS server IP addresses, domain names, and an account with sufficient permissions to create computer accounts in your Active Directory domain. Once you’ve configured this integration, when you launch a WorkSpace, you can select which users you would like to provide a WorkSpace to from a list of users in your domain. When the WorkSpaces for these users are launched, the WorkSpaces will join your Active Directory domain, and your users will be able to connect to them using their existing Active Directory credentials. Detailed instructions for using AD Connector are here.
Q: What happens to my Simple AD or AD Connector when I remove all of my WorkSpaces?
You may keep your Simple AD or AD Connector and use it to domain join EC2 instances or provide directory users access to the AWS Management console. You may also delete your Simple AD or AD Connector.
If there are no WorkSpaces being used with your Simple AD or AD Connector for 30 consecutive days, you will be charged for this directory as per the AWS Directory Service pricing terms. If you delete your Simple AD or AD Connector you can always create a new one when you want to start using WorkSpaces again.
Q: What does CloudWatch monitor for Amazon WorkSpaces?
You can use CloudWatch metrics for WorkSpaces to review health and connection metrics for individual WorkSpaces and all WorkSpaces belonging to a directory. You can set up CloudWatch alarms on these metrics to be alerted about changes to WorkSpaces health, or about issues your users may have connecting to their WorkSpaces.
Q: In what regions can you use WorkSpaces with CloudWatch metrics?
WorkSpaces with CloudWatch metrics is supported in all AWS regions in which WorkSpaces is available.
Q: What does it cost?
There is no additional cost for using Basic CloudWatch metrics with WorkSpaces via the CloudWatch console. There may be additional charges for setting up CloudWatch alarms and retrieving CloudWatch metrics via APIs. Please see CloudWatch pricing.
Q: How do I get started?
Basic CloudWatch metrics are enabled by default for all your WorkSpaces. Visit the AWS Management console to review the metrics and set up alarms.
Q: What metrics are supported?
Please see the documentation for a list of supported metrics.
Q: Can I print to a local printer from my WorkSpace?
From your WorkSpace, you can print to a printer that is configured on your Windows or Mac computer, including locally attached or network printers.
Q: How do I print to my local printer?
To print from your WorkSpace to your local printer, select your local printer from the print menu, and select print.
Q: Why can’t I see my local printer from the printing menu?
Most printers are already supported by Amazon WorkSpaces. If your printer is not recognized, you may need to install the appropriate device driver on your WorkSpace.
Q: Can I use my WorkSpace with a cloud printing service?
You can use cloud printing solutions with your WorkSpace including, but not limited to, Cortado ThinPrint,® and Google Cloud Print.
Q: Does the Amazon WorkSpaces Chromebooks client support printing?
The Amazon WorkSpaces Chromebooks client supports cloud printing services including, but not limited to, Cortado ThinPrint® and Google Cloud Print. Local printing devices are not currently supported.
Q: Can I print to a local printer from my tablet?
Printing locally from tablets is not currently supported.