Desktop and Application Streaming

A modern approach for secure End User access with Amazon WorkSpaces and AWS Verified Access

Amazon WorkSpaces was released in March 2014 and the primary north star of the service has remained a constant; secure, remote access for end users from anywhere on any device. As our customers business needs evolved, new services and features were introduced in the End User Computing family of services. This brought new ways of presenting applications, data and new methods to ensure the right level of access to resources whilst treating the end user and device as untrusted.

This blog explores options to define a common framework, to help customers determine the right pathway as they seek to modernize and optimize their infrastructure.

Looking at traditional approaches for end user access, VPN was commonplace. This brought simple access for endpoints but introduced several problems:

  • Over-privileged access: Once connected, users have broad access to the corporate network, increasing the attack surface.
  • Flat network trust model: VPNs assume users are trusted once “inside,” which is contrary to modern security principles and increase of risk for bad actors.
  • Operational complexity: Managing VPN infrastructure, routing, and capacity at scale adds administrative burden along with added costs for dedicated appliances.

An example architecture diagram showing traditional VPN access from the end user to corporate applications hosted on AWS is below:

Architecture diagram showing end user access to corporate application services hosted on AWS via a traditional VPN solution.

ALT: Architecture diagram showing end user access to corporate application services hosted on AWS via a traditional VPN solution.

As customers evolve and adapt to new ways of working, providing a virtual desktop became a common way to secure end user access. This moves the network perimeter to the internal network and securing the user session via an encrypted pixel stream. This approach improves control by preventing direct access to corporate resources and enforcing policies within a centralized desktop environment which limits and constrains data loss.

An example architecture is provided below:

Architecture diagram showing end user access to corporate application services hosted on AWS via AWS native End User Computing Services, abstracting the data from the physical endpoint device.

ALT: Architecture diagram showing end user access to corporate application services hosted on AWS via AWS native End User Computing Services, abstracting the data from the physical endpoint device.

Today, the landscape is a hybrid world of internal and external hosted applications and data (some of which may be SaaS based). Organizations need a solution that works across both environments to seamlessly deliver applications the users need, while embracing the principles of Zero Trust. With this approach, customers can right size their infrastructure and provide a balance between a full desktop and delivering SaaS applications (either to the virtual desktop or the endpoint device).

An example architecture showing a hybrid solution of internal and external hosted applications found below:

Architecture diagram showing end user access to corporate application services hosted on AWS via a combination of AWS End User Computing Services, or AWS Verified Access for conditional access.

ALT: Architecture diagram showing end user access to corporate application services hosted on AWS via a combination of AWS End User Computing Services, or AWS Verified Access for conditional access.

AWS Solution Components/Overview

Amazon End User Computing Services

AWS offers a range of managed services to deliver secure, scalable, and performant virtual desktops, applications and browser-based access for your workforce.

  • Amazon WorkSpaces
    • Amazon WorkSpaces is a secure, fully managed Desktop-as-a-Service (DaaS) solution that allows you to provision Windows or Linux desktops for users. WorkSpaces enables centralized control over the desktop environment, enforces data residency, and supports compliance by keeping sensitive data off the endpoint. The user interacts with a pixel stream, ensuring no direct access to internal resources.
  • Amazon WorkSpaces Secure Browser
    • WorkSpaces Secure Browser is a managed, isolated browser service that enables users to securely access internal web applications, SaaS platforms, and intranet sites without needing a VPN. Sessions are ephemeral and centrally controlled, and no data is stored on the user’s device. This is ideal for Bring Your Own Device (BYOD) scenarios and short-term contractors or external collaborators.

AWS Verified Access

AWS Verified Access is a secure, identity-aware access control service that enables users to access applications without needing a VPN. Verified Access evaluates user identity and device posture before granting access, applying context-based policy decisions.

Key features include:

  • Zero Trust network assumptions: Each request is evaluated based on user identity, device trustworthiness, and security context.
  • Policy-based access control: Define fine-grained access policies using attributes from identity providers and device posture tools.
  • Support for SaaS applications: AWS Verified Access brokers access to externally hosted (e.g., Salesforce, ServiceNow) applications.
  • No traditional perimeter: Treat all networks—including internal office networks and AWS EUC networks—as untrusted.

Together with End User Computing services, AWS Verified Access enables secure, context-aware access from any device, anywhere—aligning perfectly with Zero Trust principles.

 

Next Steps / Summary

As the modern workforce becomes increasingly distributed, organizations must shift from perimeter-based security models to Zero Trust architectures. AWS provides solutions that are right sized for the outcome customers need, with AWS End User Computing and identity and context-based access controls with AWS Verified Access.

By treating the end user network as untrusted, enforcing fine-grained access controls, and delivering secure workspaces and browsers, organizations reduce risk, improve compliance, and enable productivity from anywhere.

To get started:

  1. Evaluate your current remote access infrastructure and identify VPN reliance.
  2. Consider piloting Amazon WorkSpaces or WorkSpaces Secure Browser for specific user groups.
  3. Integrate AWS Verified Access to enforce context-aware policies and replace legacy VPN access.

For more information, check out:

About the authors:

Phil Persson is a WorldWide Principal Solutions Architect for End User Computing. Phil has been with AWS since December 2012 where he was a founding member of AWS Premium Support in the Sydney Region and then a Technical Account Manager for AWS Enterprise Support.
Matt Domingue is a Senior Solutions Architect for End User Computing, focusing on helping customers design and optimize end-user computing solutions on AWS. Outside of work, Matt enjoys spending time with family, camping and making music.