AWS Public Sector Blog

Amazon WorkSpaces supports CAC/PIV smartcard authentication

The US federal government, including Department of Defense (DoD) and civilian agencies, often requires users to securely authenticate their identity and establish access controls to government networks, desktops, and other online resources using a Common Access Card (CAC)/Personal Identity Verification (PIV) card. With a recent feature release, Amazon Web Services (AWS) customers can now use CAC/PIV cards when using Amazon WorkSpaces to access government systems. Amazon WorkSpaces is a desktop as a service solution that helps users access all of their desktop applications from anywhere. This feature supports pre-session and in-session authentication:

  • During pre-session authentication, when initiating Amazon WorkSpaces, the user will be prompted to insert their CAC/PIV card and associated personal identification number (PIN) to log into the session. In pre-session authentication, the user does not need to enter their Active Directory credentials.
  • During in-session authentication, an existing Amazon WorkSpaces user logs into a protected website or accesses a CAC/PIV-protected resource, the user will only have to insert their CAC/PIV card and associated PIN to be logged into the website or similarly protected resource.

In both scenarios, CAC/PIV increases the security of Amazon WorkSpaces by requiring a user to have a smartcard and know a PIN. Check out the short demo video to see how it works:

CAC/PIV authentication enables users to securely log into Amazon WorkSpaces in remote or in-office scenarios. CAC/PIV pre-session support works for users logging into Amazon WorkSpaces from a Windows client.

Amazon WorkSpaces CAC/PIV pre-session support is available in the AWS GovCloud (US-West) Region, and in-session support is available in both AWS GovCloud (US) Regions and standard AWS Regions. Amazon WorkSpaces is accredited for FedRAMP High in AWS GovCloud (US) Regions and FedRAMP Moderate in AWS US East/West Regions.

CAC/PIV support requires that Amazon WorkSpaces are configured to use the Amazon WorkSpaces Streaming Protocol (WSP). CAC/PIV support also requires the Windows WorkSpaces Client 3.1.1 or higher.

Get started with Amazon WorkSpaces Streaming Protocol or contact us to discuss your specific needs.