Desktop and Application Streaming

How SoFi manages Amazon WorkSpaces at scale using AWS Systems Manager

This blog post walks through how SoFi, a financial technology company that provides a range of financial products and services, scale their growing business needs with AWS services. SoFi uses Amazon WorkSpaces to scale out their Desktop as a Service solution, and improve visibility and control of their environment with AWS Systems Manager. The SoFi team built on automating AWS Systems Manager activation for Amazon WorkSpaces to meet their business requirements.

About SoFI

SoFi (short for Social Finance) is a financial technology company that offers a variety of financial products and services, including student loan refinancing, personal loans, home loans, investing and banking. The company was founded in 2011 and is headquartered in San Francisco, California. SoFi’s mission is to help its members achieve financial independence by providing them with innovative financial solutions, competitive rates, and a user-friendly digital platform. SoFi’s unique approach to lending involves considering factors such as education, employment history, and earning potential in addition to credit scores. This approach has helped SoFi become a popular choice for borrowers, particularly those with high levels of student debt. In addition to its lending services, SoFi also provides resources and tools to help its members improve their financial literacy and achieve their long-term financial goals.

Customer Challenge

As SoFi’s business environment grew rapidly, we needed a scalable and secure solution for our remote workforce. With Amazon WorkSpaces, we had provisioned 350 WorkSpaces in a single AWS Region, using Server 2019 with Windows 10 experience. We customized our WorkSpaces with different applications and configurations, which are unique depending on the line of business. This meant that we had to maintain custom images, install updates, and migrate existing WorkSpaces to the latest custom image. This was a time-consuming, error-prone process that increased our workload and slowed our adoption.

While evaluating potential management solutions, AWS referred us automating AWS Systems Manager activation for Amazon WorkSpaces. Following this guide, we were able to onboard our WorkSpaces using the hybrid-activation feature of Systems Manager. As we tested Systems Manager, we recognized the ability to patch, monitor, and evaluate our environment. However,we struggled to solve our application deployment challenges. The SoFi team dove deeper into the capabilities of Systems Manager. We discovered how to build custom application deployments using AWS Systems Manager Distributer. This allowed us to deploy our application based on tags from Systems Manager.

During the project, we encountered our first roadblock when we realized that Amazon WorkSpaces and AWS Systems Manager managed instances with hybrid-activation using different tagging data types. As a result, when an Amazon WorkSpace registers with Systems Manager, the tags do not follow the object, as they would with customer managed EC2 instances. This created a challenge for SoFi, as our tagging strategy did not allow us to use the full capability of Systems Manager. We overcame this by using an API call to copy the tags over to Systems Manager during activation, giving us the ability to target application installs to specific WorkSpace tags.

AWS State Manager is the next piece of this solution. This service allows AWS Systems Manager Distributor packages to be scheduled using associations. Using scheduled AWS State Manager associations ensured that managed instances meet the requirements (for example applications, and configurations) for the WorkSpace type. This introduced the next obstacle to our implementation. The default association type ensures that the packages are downloaded, and the installer attempts to run them. This process does not offer a detection method or validation step. If an unknown error occurs during the package install, the AWS State Manager shows the application as installed. We added logic to a customized AWS-ConfigureAWSPackage document that gave us the ability to check for an application being installed.

We can query file paths, registry keys, or Windows service state to verify that installation was successful. If you are familiar with Microsoft SCCM or InTune, we built a detection method into the process. When our custom AWS-ConfigureAWSPackage document runs on managed instances, it completes the download of the installer files. It unzips and runs the installer files based on the commands in the install.ps1, then checks to verify the file path or registry entry.

The custom code runs during the scheduled installation of specific applications. The installations are scheduled to run daily at intervals of five minutes to prevent multiple installations from running at the same time. For example, Application “A” installs at 8:00 AM, while Application “B” installs at 8:05 AM, and Application “C” installs at 8:10 AM. We moved on from managing custom images and began rolling out new WorkSpaces with the latest public image provided by AWS. Now we deploy applications, configurations, or any task that could be scripted to our Amazon WorkSpaces. This solution allowed us to control how applications are evaluated as successfully installed, and using the same concept we can look for a specific service, registry key, or executable file for other logging or analysis.


AWS Systems Manager State Manager allows SoFi to use public Amazon WorkSpaces images, reducing the need to maintain a large catalog of constantly evolving images. Using AWS Systems Manager State Manager, SoFi can target applications and configurations, and even patch applications, in a scalable, controlled manner. This solution uses tools and services provided by the AWS Free Tier; managing operating systems and endpoints with this level of control via AWS Free Tier allows for significant cost-savings versus traditional SCCM or Ansible solutions. Note: AWS Systems Manager has a managed instance limit of 1000 per AWS Region, per account when using AWS Free Tier.

Matt Strachan is an Automation Engineer at SoFi. He specializes in building solutions to streamline Information Technology processes. He can be found enjoying the outdoors or touring with his band in his free time.
Sam Goad is a Sr Solutions Architect at AWS. At AWS he works with Healthcare customers to adopt cloud services. In his free time Sam can be found playing golf or enjoying water sports.