Desktop and Application Streaming

Anomaly Detection in Amazon WorkSpaces

Amazon WorkSpaces is a fully managed, secure Desktop-as-a-Service (DaaS) solution that runs on AWS. Our customers have been deploying WorkSpaces to provide scalable end user computing to their users regardless of work location. Since the launch of WSP, additional capabilities such as USB and smart card support have enabled additional workloads to benefit from moving to WorkSpaces.

With users able to work from anywhere, customers face new challenges to ensure that users are able to access their resources through WorkSpaces. Supporting teams have to act quickly and effectively should users have problems. External factors, such as service provider, physical location, and end user equipment have to be considered to enable a user to connect. In addition to software and configuration changes to client hardware, network outages at the regional, city, street, or internal network are possible. With a remote workforce, user feedback can be delayed, losing valuable time to identify the root cause of a possible issue in a timely manner.

In this blog post, I will show you how to configure notifications to alert you of abnormalities in user connectivity. This provides awareness of a potential problem as well as the scale of your user base affected by the identified problem.

Overview of solution:

You can use Amazon CloudWatch metrics that are already emitted for all of your WorkSpaces to notify you that your users are unable to connect.

This post walks you through the following steps:

  • Verify the AWS Directory Service directories currently associated with WorkSpaces.
  • Create a CloudWatch Alarm for the UserConnected metric of your WorkSpaces Directory.
  • Send a notification when a metric falls below the anomaly level.



First, identify the WorkSpaces that you want to monitor and the corresponding directories for your launched WorkSpaces.

Verify the directory used by your WorkSpaces:

  1. Log in to the Amazon WorkSpaces console.
  2. Click on Directories in the navigation pane.
  3. Verify the number of directories that you have registered with WorkSpaces. If you have more than one directory, check which directories are registered for use with WorkSpaces. If you have only one registered directory, proceed to Identify the CloudWatch Metric for your anomaly alarm.
    1. If you have more than one directory registered with WorkSpaces, you can verify which directory a WorkSpace is launched in by clicking on WorkSpaces in the navigation pane.
    2. Next click the gear icon in the top-right corner of the page for the Show/Hide Columns menu and then click the check box next to Organization Name. With this option selected, the directory of each WorkSpace is listed. This also allows you to verify the user names of WorkSpaces associated with each directory.

Identify the CloudWatch Metric for your anomaly alarm:

  1. Log in to the Amazon CloudWatch console.
  2. Click on Metrics in the navigation pane.
  3. Select WorkSpaces from the list followed with By Organization Name.
  4. Each of your directories DirectoryId is listed with a UserConnected metric. Select this metric for each directory, which contains WorkSpaces that you would like monitored.
  5. Select the Graphed metrics tab and change the Statistic to Sum (if not already selected).
  6. Change the timeframe viewed of the graphed data (A week or longer is recommended). Observe and take note of the maximum number of WorkSpaces with users connected at a single time.
    Here we can see the CloudWatch Alarm which shows seven WorkSpace users connected as they normally are, within the anomaly detection band when all users were disconnected, causing the metric to fall beneath the threshold and the alarm to go off.

Create the CloudWatch Anomaly Alarm for each WorkSpaces enabled directory:

  1. In the Amazon CloudWatch console, click on Alarms, then click Create alarm.
  2. In Step 1 of the wizard, click Select metric.
  3. Find the metrics you identified in the previous steps located in WorkSpaces > By Organization Name.
  4. Select one of your directories (only one metric can be chosen per alarm) and choose Select metric.
  5. Change the Statistic of the selected metric to Sum.
  6. Under Conditions change the threshold type to Anomaly detection with the option Whenever UserConnected is, set to Lower than the band.
  7. For the Anomaly detection threshold, we recommend changing this value using the graph at the top of the page as a guide for standard amounts of fluctuation in user connectivity. This value can be adjusted at any time should your alarm provide false positives. So we recommend constraining this threshold to the lowest number that would not cause alarm under normal conditions. Click Next.
    Example of the correct selections for the above 7 steps.
  8. In Step 2, choose an Alarm state trigger of In alarm and choose an existing or create a new SNS topic to provide the notification when an anomaly occurs. Click Next.
  9. In Step 3, provide a name for your alarm, we recommend including the Directory ID, which is monitored by the alarm.
  10. In Step 4, confirm the settings that you have selected and choose Create alarm to confirm.


That’s all there is to it! All WorkSpaces in each directory that you have created an alarm for will be monitored. When the user connection count falls below the average plus the threshold for a given time, the notification type you chose will notify you of the problem and the degree to which it impacts your users.