Q: What is Amazon WorkSpaces Web?
A: Amazon WorkSpaces Web is a low cost, fully managed WorkSpace built specifically to facilitate secure, web-based workloads. WorkSpaces Web makes it easy for you to safely give your employees access to internal websites and software-as-a-service (SaaS) applications without the administrative burden of appliances or specialized client software. WorkSpaces Web provides simple policy tools tailored for user interactions, and offloads common tasks such as capacity management, scaling, and maintaining an updated and secure browser image.
Q: Why should I use WorkSpaces Web?
A: You can use WorkSpaces Web to secure a browser-based productivity environment, enable safe browsing from high-security networks, or facilitate lightweight bring-your-own-device (BYOD) access for browser-only resources. Many workloads are shifting from a traditional desktop environment to SaaS applications or custom-built internal websites. As a result, the browser has become a critical productivity application. Existing solutions to secure browser traffic can be overly permissive, expensive, complex , or all of these. WorkSpaces Web was purpose built to address these pains points, and is a simple way to provide access to web content while reducing risk of data exfiltration or risky connections with remote devices.
Q: How is WorkSpaces Web related to other AWS End User Computing services?
A: WorkSpaces Web is a new capability for the AWS End User Computing category. Each service is designed to provide secure access to a different environment: WorkSpaces for remote Windows and Linux desktops; WorkSpaces Web for low-cost, automatically managed browser- based access; and Amazon AppStream2.0 for custom, remote applications.
Q: How do I get started with WorkSpaces Web?
A: You can get started with WorkSpaces Web from the AWS Management Console. After signing in, search for Amazon WorkSpaces and select the AWS Region that will serve as your home Region (this is where your WorkSpaces Web portal will be created, your websites rendered, and your user analytics generated). Select WorkSpaces Web from the left-hand menu in the WorkSpaces console. Then federate your existing SAML-based identity provider with WorkSpaces Web. Next, select an Amazon Virtual Private Cloud (VPC), subnets, a security group with connectivity to the internet, and any internal content you would like to connect with WorkSpaces Web. Then apply browser policies and session-level controls to your web portal. Once your WorkSpaces Web portal is created, you can sign in and browse connected websites.
Q: How does WorkSpaces Web communicate with my corporate network?
A: WorkSpaces Web provisions specific Amazon Elastic Compute Cloud (EC2) instances on demand. Create or identify an existing VPC in your account, select subnets for WorkSpaces Web traffic, and give WorkSpaces Web permission to create Cross-Account Elastic Network Interfaces (X-ENIs) that will be linked to hosts allocated to your account. Your VPC must have a stable connection to the content you wish to use with both WorkSpaces Web and services such as Amazon Simple Storage Service (S3), AWS Key Management Service (KMS), and Amazon CloudWatch. You can set the browser policy using Chrome’s 300-plus user and data policies. You can set controls over the users' access to file transfer, clipboard, and local printers. You are responsible for the networking from your Amazon VPC to both the internet and any internal content. Your internal content can exist within that VPC (for example, applications hosted on an Amazon EC2 instance), in another Amazon VPC that is peered with it, on premises, or on the public internet. Resources hosted on premises must be accessible via an IPsec tunnel, AWS Direct Connect, or AWS Transit Gateway.
Q: How do my end users get started with WorkSpaces Web?
A: Once you have completed setup in the AWS Management Console, you can distribute the WorkSpaces Web portal endpoint URL to your users. You can add this URL to your SAML providers application gateway, email it to users, re-direct from a domain you own, or push the URL as a bookmark to a device you manage. Your end users can simply log in with their SAML identity and start accessing websites using their existing browser.
Q: Which devices are supported at launch?
A: Users may connect to WorkSpaces Web from desktop or tablet web browsers.
Q: Which web applications can I use with WorkSpaces Web?
A: WorkSpaces Web pixel streams an up-to-date version of the Chrome browser, so if content works in Chrome, it will work in WorkSpaces Web. Chrome does not have support for sites that require Flash or Java, so by extension WorkSpaces Web would not be compatible with those sites.
Q: Does WorkSpaces Web work with SaaS applications?
A: WorkSpaces Web can connect to internal or public SaaS web applications. WorkSpaces Web can work with any SaaS web application that works in an up-to-date Chrome browser.
Q: Does WorkSpaces Web work with email?
A: WorkSpaces Web supports web interfaces to email. For example, you can allow end users to access email via Outlook Web Access. However, WorkSpaces Web does not support email in native email clients.
Q: How does WorkSpaces Web manage user access and authentication?
A: WorkSpaces Web is designed to work with your existing systems and not add extra layers of user management. WorkSpaces Web supports user authentication and federated sign-in using any SAML 2.0-compliant identity providers, such as AWS IAM Identity Center (successor to AWS SSO), OneLogin, Okta, or Ping Identity.
Q: How is my data protected?
A: During a WorkSpaces Web session, web content is ephemerally streamed from WorkSpaces Web to the user in their local browser. Streaming prevents data from residing on remote devices and provides an effective barrier to attacks packaged in web content. At the end of the session, the instance is wiped, ensuring sensitive corporate data is protected. Throughout this process, data in transit is protected by enterprise-grade encryption. You can choose to create a WorkSpaces Web portal with KMS, which makes it easy to create and manage cryptographic keys and control their use across a range of AWS services.
Q: What are the key security differentiators of WorkSpaces Web?
A: WorkSpaces Web is an AWS service, so your content is always handled in a secure environment consistent with AWS standards. As a user of WorkSpaces Web, a part of the cloud is dedicated to your account and handles only your data. WorkSpaces Web allows you to apply enterprise browser policies and session controls over access to the clipboard, file transfer, and printer.
Q: Does WorkSpaces Web prevent web browsers from caching corporate data?
A: WorkSpaces Web pixel streams web content to the browser, preventing data from residing on the local device or web browser.
Q: What information can I get from WorkSpaces Web monitoring?
A: WorkSpaces Web usage metrics provide the following information:
- SessionAttempt: the number of WorkSpaces Web session attempts.
- SessionSuccess: the number of successful WorkSpaces Web session starts.
- SessionFailure: the number of failed WorkSpaces Web session starts.
Q: Do the WorkSpaces Web APIs log actions in AWS CloudTrail?
A: Yes. To receive a history of WorkSpaces Web API calls made to your account, you can turn on CloudTrail in the AWS Management Console.
Pricing and availability
Q: How much does WorkSpaces Web cost?
A: WorkSpaces Web is a pay-as-you-go service with no minimum fees, upfront commitments, or long-term contracts. With WorkSpaces Web, users have up to 200 streaming hours of access to the content you connect to, and you are charged monthly based on the number of users that connect to the service. Please see our pricing page for the latest information.
Q: What Regions is WorkSpaces Web available in?
A: WorkSpaces Web is available in the following regions: US East (Northern Virginia), US West (Oregon), Europe (Ireland), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Mumbai), and Asia Pacific (Tokyo).