Posted On: Aug 16, 2021
Starting today, you can use Common Access Card (CAC) and Personal Identity Verification (PIV) smart cards to authenticate users into Amazon WorkSpaces through your self-managed Active Directory (AD) and AWS Directory Service AD Connector in US East (Northern Virginia), US West (Oregon), Europe (Ireland), Asia Pacific (Tokyo), and Asia Pacific (Sydney) Regions. Additionally, you can now use the AWS Management Console to configure smart card authentication with AWS Directory Service. Previously, smart card authentication with AD Connector for Amazon WorkSpaces was only supported in the AWS GovCloud (US-West) Region and could only be configured through the AWS Directory Service API or CLI.
When enabled, users select their smart card at the WorkSpaces login screen and enter a PIN to authenticate, instead of using a username and password. From there, the Windows or Linux virtual desktop uses the smart card to authenticate with Active Directory from the native desktop operating system. Smart card support is available on WorkSpaces when using the WorkSpaces Streaming Protocol (WSP). With AWS Directory Service and Amazon WorkSpaces with WSP, users can use smart cards to authenticate into a WorkSpaces instance (pre-session authentication) or to protected applications from within a WorkSpaces instance (in-session authentication).
To get started, visit Enable mTLS authentication in AD Connector for use with smart cards in the AWS Directory Service Administration Guide. To learn about smart card support in Amazon WorkSpaces, visit Use Smart Cards for Authentication in the Amazon WorkSpaces Administration Guide.