AWS News Blog

Amazon WorkSpaces Update – BYOL, Chromebooks, Encryption

As I have noted in the past, I am a huge fan and devoted user of Amazon WorkSpaces. In fact, every blog post that I have written and illustrated over the last 6 or 7 months has been written on my WorkSpace. The most recent set of AWS podcasts were edited on the same WorkSpace.

Several months ago the hard drive in my laptop crashed and was replaced. In the past, I would have spent several hours installing and customizing my apps and my environment. All of my work in progress is stored in Amazon WorkDocs, so that aspect of the recovery would have been painless. At this point, the only truly personal items on my laptop are the 12-character registration code for my WorkSpace and my hard-won set of stickers. My laptop has become little more than a generic display and I/O device (with some awesome stickers).

I have three pieces of good news for Amazon WorkSpaces users:

  1. You can now bring your Windows 7 Desktop license to Amazon WorkSpaces.
  2. There’s a new Amazon WorkSpaces Client App for Chromebook.
  3. The storage volumes used by WorkSpaces (both root and user) can now be encrypted.

Bring Your Windows 7 Desktop License to Amazon WorkSpaces (BYOL)
You can now bring your existing Windows 7 Desktop license to Amazon WorkSpaces and run the Windows 7 Desktop OS on hardware that is physically dedicated to you. This new option entitles you to a discount of $4.00 per month per WorkSpace (a savings of up to 16%) and also allows you to use the same Windows 7 Desktop golden image on-premises and the AWS cloud. The newly launched images can be activated using new or existing Microsoft activation servers running in your VPC, or that can be reached from your VPC.

To take advantage of this option, at a minimum your organization must have an active Enterprise Agreement (EA) with Microsoft and you must commit to running at least 200 WorkSpaces in a given AWS region each month. To learn more, take a look at the WorkSpaces FAQ.

In order to ensure that you have adequate dedicated capacity allocated to your account and to get started with BYOL, please reach out to your AWS account manager or sales representative or create a Technical Support case with Amazon WorkSpaces.

New Amazon WorkSpaces Client App for Chromebook
Today we are making Amazon WorkSpaces even more flexible and accessible by adding support for the Google Chromebook. These low-cost “thin client” laptops are simple and easy to manage. They run Chrome OS and were designed specifically for internet users. This makes them a great match for Amazon WorkSpaces because you can access your cloud desktops, your productivity apps, and your corporate network from devices that are simple to manage, secure, and available at a low cost.

The newest Amazon WorkSpaces client app runs on Chromebooks (version 45 of Chrome OS and newer) with ARM and Intel chipsets, and supports both touch and non-touch devices.  You can download the WorkSpaces client for Chromebook now and install it on your Chromebook today.

The Amazon WorkSpaces client app is also available for Mac OS X, iPad, Windows, Android Tablet, and Fire Tablet environments.

Encrypted Storage Volumes Using KMS
Amazon WorkSpaces enables you to deliver a high quality desktop experience to your end-users and can also help you to address regulatory requirements or to conform to organizational security policies.

Today we are announcing an additional security option: encryption for WorkSpaces data in motion and at rest (this includes the disk volume and the snapshots associated with it). The WorkSpaces administrator now has the option to encrypt the C: and D: drives as part of the launch and configuration process for each newly created WorkSpace.  This encryption is performed using a customer master key (CMK) stored in AWS Key Management Service (AWS KMS).

Encryption is supported for all types of Amazon WorkSpace bundles including custom bundles created within your organization, but must be set up when the WorkSpace is created (encrypting an existing WorkSpace is not supported). Each customer master key from KMS can be used to encrypt up to 30 WorkSpaces.

Launching a WorkSpace with an encrypted root volume can take additional time. Once launched, you can expect to see a minimal impact on latency or IOPS. Here is how you (or your WorkSpaces administrator) choose the volumes to be encrypted along with the KMS key at launch time:

The encryption status of each WorkSpace is also visible from within the WorkSpaces Console:

There’s no charge for the encryption feature, but you will pay the standard KMS charges for any keys that you create.


PS – Before you ask, I am planning to ditch my laptop in favor of a Chromebook immediately after AWS re:Invent!

Jeff Barr

Jeff Barr

Jeff Barr is Chief Evangelist for AWS. He started this blog in 2004 and has been writing posts just about non-stop ever since.