Q: What is Amazon WorkSpaces Secure Browser?

Amazon WorkSpaces Secure Browser is a fully managed, cloud-native, hosted browser service used to securely access private websites and software-as-a-service (SaaS) web applications, interact with online resources, and anonymously browse the internet. WorkSpaces Secure Browser works with  the user's existing web browsers, without burdening IT with managing appliances, infrastructure, specialized client software, or virtual private network (VPN) connections. Web content is streamed to the user's web browser, while the actual browser and web content is isolated in AWS. By using the same underlying technologies that power AWS End User Computing services like Amazon WorkSpaces and Amazon AppStream2.0, WorkSpaces Secure Browser can be more cost effective than traditional virtual desktops, and reduce complexity compared to providing company-owned devices with management software.

Q: Why should I use WorkSpaces Secure Browser?

WorkSpaces Secure Browser is a cloud-native solution that provides secure access to company data over the web, while reducing risk of data exfiltration or risky connections with remote devices. Many workloads are shifting from a traditional desktop environment to SaaS applications or custom-built internal websites. As a result, the browser has become a critical productivity application for many users. Alternative solutions to secure browser traffic can be overly permissive, expensive, complex, or restrict which devices users may use to access company data.

Q: How is WorkSpaces Secure Browser related to the Amazon WorkSpaces Family services?

WorkSpaces Secure Browser is part of the WorkSpaces Family, which provides fully managed, secure, reliable virtual desktop solutions for every workload. Amazon WorkSpaces offers traditional, fully persistent Windows or Linux virtual desktops fully managed by AWS. WorkSpaces Secure Browser provides a secure hosted browser used to access to internal websites and SasS apps at a lower cost than a virtual desktop. These services can be accessed on a variety of devices, managed or unmanaged, including Amazon WorkSpaces Thin Client.

Getting started

Q: How do I get started with WorkSpaces Secure Browser?

Search for the WorkSpaces Secure Browser service from the AWS Management Console and create a web portal in your desired region. First, choose “Create Web Portal” and select an Amazon Virtual Private Cloud (VPC), subnets, and a security group in your account. These resources connect your portal with any private or internet-based resources users will access through the service. Next, create the portal settings by choosing the instance type, setting browser policy (e.g., URL Filtering, default home page, etc.), and user settings (e.g., access to clipboard, file transfer, etc.). These settings will be enforced during your user's session. Last, you can federate your existing SAML 2.0 identity provider (IdP) (e.g., Okta, Ping, AWS IAM Identity Center) with your portal for user authentication and single sign on. Once your WorkSpaces Secure Browser portal is created, users can sign in and browse.

Q: How does WorkSpaces Secure Browser communicate with my corporate network?

WorkSpaces Secure Browser provisions specific Amazon Elastic Compute Cloud (EC2) instances on demand. You simply create or identify an existing VPC in your account, select subnets for WorkSpaces Secure Browser traffic, and give WorkSpaces Secure Browser permission to create Cross-Account Elastic Network Interfaces (X-ENIs) that will be linked to hosts allocated to your account. Your VPC must have a stable connection to the content you want users to access using the service. You can set and enforce browser policy using Google Chrome’s 300-plus user and data policies, and set controls over users' access to file transfer, clipboard, and local printers. You are responsible for the networking from your Amazon VPC to both the internet and any internal content. Your internal content can exist within that VPC (for example, applications hosted on an Amazon EC2 instance), in another Amazon VPC that is peered with it, on premises, or on the public internet. Resources hosted on premises must be accessible (e.g., via an IPsec tunnel, AWS Direct Connect, AWS Transit Gateway, etc.).

Q: How do my end users get started with WorkSpaces Secure Browser?

Once you have created a portal, share the portal URL with your users. Common distribution methods include creating an identity-provider-initiated authentication flow by adding your portal to your SAML provider’s application gateway, emailing the URL directly to users for a service provider initiated authentication experience, re-directing to the portal URL from a domain you already own, or by force installing the URL as a bookmark or link on a device or application you manage. You can also use WorkSpaces Secure Browser with the WorkSpaces Thin Client. Once users have the URL, they can sign in with their SAML identity and start accessing websites from their device’s web browser.


Q: Which devices can I use with WorkSpaces Secure Browser?

Users can connect to WorkSpaces Secure Browser from desktop, laptop, or thin client computers, including the Amazon WorkSpaces Thin Client. WorkSpaces Secure Browser is accessed via a web client is supported by common web browsers, such as Chrome and Firefox, and by major desktop operating systems, such as Windows, macOS, and Linux.

Q: Which web applications can I use with WorkSpaces Secure Browser?

WorkSpaces Secure Browser pixel streams an up-to-date version of the Google Chrome browser, so if website content displays in Google Chrome, it will display in WorkSpaces Secure Browser. Google Chrome does not have support for sites that require Flash or Java, so by extension WorkSpaces Secure Browser would not be compatible with those sites.

Q: Which web applications can I use with WorkSpaces Secure Browser?

WorkSpaces Secure Browser can connect to internal or public SaaS web applications. WorkSpaces Secure Browser can work with any SaaS web application that works in an up-to-date Google Chrome browser.

Q: Does WorkSpaces Secure Browser work with SaaS applications?

WorkSpaces Secure Browser can connect to internal or public SaaS web applications. WorkSpaces Secure Browser can work with any SaaS web application that works in an up-to-date Google Chrome browser.

Q: Does WorkSpaces Secure Browser work with email?

WorkSpaces Secure Browser supports web interfaces for email. For example, you can allow end users to access email via Microsoft Outlook Web Access. However, WorkSpaces Secure Browser does not support email in native email clients.

Q: Does WorkSpaces Secure Browser support web-based collaboration and meeting tools?

Yes. Customers have the option to optimize their instance type, which can be particularly helpful with highly interactive websites. By default, all portals are on Regular instances, which is optimized for browsing static websites (e.g., wikis, directories, CRM tools, web based email), but administrators can select Large instances to enable more memory intensive workloads, and XL instances for highly interactive websites like online meeting tools which stream two way audio and video.

Q: Does WorkSpaces Secure Browser support microphones and web cams?

Yes. Users can connect a mic or camera input to the remote Chrome browser during a session.


Q: How does WorkSpaces Secure Browser protect my data?

During a WorkSpaces Secure Browser session, web content is ephemerally streamed from WorkSpaces Secure Browser to the user in their local browser. Streaming prevents data from residing on remote devices and provides an effective barrier to attacks packaged in web content. At the end of the session, the instance is wiped, helping to protect sensitive corporate data. Throughout this process, data in transit is protected by enterprise-grade encryption. You can choose to create a WorkSpaces Secure Browser portal with AWS KMS, which makes it straightforward to create and manage cryptographic keys and control their use across a range of AWS services.

Q: What are the main security differentiators of WorkSpaces Secure Browser?

WorkSpaces Secure Browser is an AWS service, so your content is handled in a secure environment consistent with AWS standards. As a user of WorkSpaces Secure Browser, a part of the cloud is dedicated to your account and handles only your data. WorkSpaces Secure Browser allows you to apply enterprise browser policies and session controls over access to the clipboard, file transfer, and printer.

Q: Does WorkSpaces Secure Browser prevent web browsers from caching corporate data?

WorkSpaces Secure Browser pixel streams web content to the browser, preventing data from residing on the local device or in the web browser.

Q: Can I restrict which devices can access WorkSpaces Secure Browser?

By default, WorkSpaces Secure Browser allows users to access their portal from anywhere, but you can use IP access controls to filter which IP addresses may connect. When associated with your web portal, IP access settings will detect the user IP before authentication to determine whether they are eligible to connect. Once connected, WorkSpaces Secure Browser continuously monitors a user's IP address to ensure they remain connected from a trusted network. If a user's IP changes, WorkSpaces Secure Browser will detect and terminate the session.

Q: Can I control which websites users can access during a session?

You can use URL filtering to control which URLs users can access. You can use the console to create allow and deny lists of URLs as a portal setting, or by uploading a browser policy JSON file with URL filtering included. You may also control outbound communication from a portal to the internet by connecting your VPC to a web proxy. You can set proxy settings using Chrome’s policies built into the web browser by setting up an HTTP outbound proxy. For example, if you use a web proxy as the gateway to the internet, you can implement preventive security controls, such as domain allow-listing and content filtering.

Q: Does WorkSpaces Secure Browser support YubiKey?

There are two ways you can use YubiKey with WorkSpaces Secure Browser. You can use YubiKey for user access and authentication at the start of the session with your IdP. You can also use YubiKey with OTP during the session. Support for U2F is coming soon.

User access, authentication, SSO

Q: How does WorkSpaces Secure Browser manage user access and authentication?

WorkSpaces Secure Browser is designed to work with your existing systems and not add extra layers of user management. User authentication and federated sign-in uses your existing SAML 2.0-compliant identity provider (e.g., AWS IAM Identity Center, Okta, or Ping Identity, etc.). Portals can support service provider initiated or identity provider initiated authentication flows.

Q: Does WorkSpaces Secure Browser support single sign on?

You can support single sign on for websites that use the same SAML provider you have configured for your web portal (e.g., if you use Okta to authenticate to the portal and to your login-protected web domains). Simply enable the WorkSpaces Secure Browser extension for single sign on in your web portal and have your end users install the local extension (available on either the Chrome or Firefox browsers). Then, when your end users authenticate to their WorkSpaces Secure browser, the service will seamlessly pass the IdP sign-in cookie to the protected domain, preempting an additional sign-in.


Q: What service monitoring information is available?

You can monitor Amazon WorkSpaces Secure Browser using CloudWatch, which collects raw data and processes it into readable, near real-time metrics. These statistics are kept for 15 months, so that you can access historical information and gain a better perspective on how your web application or service is performing. You can also enable user access logging for session data and URL records via kinesis data streams.

Q: Do the WorkSpaces Secure Browser APIs log actions in AWS CloudTrail?

Yes. To receive a history of WorkSpaces Secure Browser API calls made to your account, you can turn on CloudTrail in the AWS Management Console.

Pricing and availability

Q: How much does WorkSpaces Secure Browser cost?

WorkSpaces Secure Browser is a pay-as-you-go service with no minimum fees, upfront commitments, or long-term contracts. Each user has up to 200 streaming hours of access per month, and you are charged monthly based on the number of users that connect to the service. The cost for each user depends on the instance type and region you select for your web portal. Please see our pricing page for the latest information.

Q: What AWS Regions is WorkSpaces Secure Browser available in?

WorkSpaces Secure Browser is available in the following regions: US East (Northern Virginia), US West (Oregon), Canada (Central), Asia Pacific (Mumbai), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), Europe (Ireland), Europe (London), and Europe (Frankfurt).

Learn more about Amazon WorkSpaces Secure Browser pricing

Visit the pricing page