Amazon WorkSpaces Web FAQs

Q: What is Amazon WorkSpaces Web?

Amazon WorkSpaces Web is a fully managed, cloud-native, hosted browser service used to securely access private websites and software-as-a-service (SaaS) web applications, interact with online resources, and anonymously browse the internet. WorkSpaces Web works with  the user's existing web browsers, without burdening IT with managing appliances, infrastructure, specialized client software, or virtual private network (VPN) connections. Web content is streamed to the user's web browser, while the actual browser and web content is isolated in AWS. By using the same underlying technologies that power AWS End User Computing services like Amazon WorkSpaces and Amazon AppStream2.0, WorkSpaces Web can be more cost effective than traditional virtual desktops, and reduce complexity compared to providing company-owned devices with management software.

Q: Why should I use WorkSpaces Web?

WorkSpaces Web is a cloud-native solution that provides secure access to company data over the web, while reducing risk of data exfiltration or risky connections with remote devices. Many workloads are shifting from a traditional desktop environment to SaaS applications or custom-built internal websites. As a result, the browser has become a critical productivity application for many users. Alternative solutions to secure browser traffic can be overly permissive, expensive, complex, or restrict which devices users may use to access company data.

Q: How is WorkSpaces Web related to the Amazon WorkSpaces Family services?

WorkSpaces Web is part of the WorkSpaces Family, which provides fully managed, secure, reliable virtual desktop solutions for every workload. Amazon WorkSpaces offers traditional, fully persistent Windows or Linux virtual desktops fully managed by AWS. WorkSpaces Web provides a secure hosted browser used to access to internal websites and SasS apps at a lower cost than a virtual desktop. These services can be accessed on a variety of devices, managed or unmanaged, including Amazon WorkSpaces Thin Client.

Q: How do I get started with WorkSpaces Web?

Search for the WorkSpaces Web service from the AWS Management Console and create a web portal in your desired region. First, choose “Create Web Portal” and select an Amazon Virtual Private Cloud (VPC), subnets, and a security group in your account. These resources connect your portal with any private or internet-based resources users will access through the service. Next, create the portal settings by choosing the instance type, setting browser policy (e.g., URL Filtering, default home page, etc.), and user settings (e.g., access to clipboard, file transfer, etc.). These settings will be enforced during your user's session. Last, you can federate your existing SAML 2.0 identity provider (IdP) (e.g., Okta, Ping, AWS IAM Identity Center) with your portal for user authentication and single sign on. Once your WorkSpaces Web portal is created, users can sign in and browse.

Q: How does WorkSpaces Web communicate with my corporate network?

WorkSpaces Web provisions specific Amazon Elastic Compute Cloud (EC2) instances on demand. You simply create or identify an existing VPC in your account, select subnets for WorkSpaces Web traffic, and give WorkSpaces Web permission to create Cross-Account Elastic Network Interfaces (X-ENIs) that will be linked to hosts allocated to your account. Your VPC must have a stable connection to the content you want users to access using the service. You can set and enforce browser policy using Google Chrome’s 300-plus user and data policies, and set controls over users' access to file transfer, clipboard, and local printers. You are responsible for the networking from your Amazon VPC to both the internet and any internal content. Your internal content can exist within that VPC (for example, applications hosted on an Amazon EC2 instance), in another Amazon VPC that is peered with it, on premises, or on the public internet. Resources hosted on premises must be accessible (e.g., via an IPsec tunnel, AWS Direct Connect, AWS Transit Gateway, etc.).

Q: How do my end users get started with WorkSpaces Web?

Once you have created a portal, share the portal URL with your users. Common distribution methods include creating an identity-provider-initiated authentication flow by adding your portal to your SAML provider’s application gateway, emailing the URL directly to users for a service provider initiated authentication experience, re-directing to the portal URL from a domain you already own, or by force installing the URL as a bookmark or link on a device or application you manage. You can also use WorkSpaces Web with the WorkSpaces Thin Client. Once users have the URL, they can sign in with their SAML identity and start accessing websites from their device’s web browser.

Q: Which devices can I use with WorkSpaces Web?

Users can connect to WorkSpaces Web from desktop, laptop, or thin client computers, including the Amazon WorkSpaces Thin Client. WorkSpaces Web is accessed via a web client is supported by common web browsers, such as Chrome and Firefox, and by major desktop operating systems, such as Windows, macOS, and Linux.

Q: Which web applications can I use with WorkSpaces Web?

WorkSpaces Web pixel streams an up-to-date version of the Google Chrome browser, so if website content displays in Google Chrome, it will display in WorkSpaces Web. Google Chrome does not have support for sites that require Flash or Java, so by extension WorkSpaces Web would not be compatible with those sites.

Q: Which web applications can I use with WorkSpaces Web?

WorkSpaces Web can connect to internal or public SaaS web applications. WorkSpaces Web can work with any SaaS web application that works in an up-to-date Google Chrome browser.

Q: Does WorkSpaces Web work with SaaS applications?

WorkSpaces Web can connect to internal or public SaaS web applications. WorkSpaces Web can work with any SaaS web application that works in an up-to-date Google Chrome browser.

Q: Does WorkSpaces Web work with email?

WorkSpaces Web supports web interfaces for email. For example, you can allow end users to access email via Microsoft Outlook Web Access. However, WorkSpaces Web does not support email in native email clients.

Q: Does WorkSpaces Web support web-based collaboration and meeting tools?

Yes. Customers have the option to optimize their instance type, which can be particularly helpful with highly interactive websites. By default, all portals are on Regular instances, which is optimized for browsing static websites (e.g., wikis, directories, CRM tools, web based email), but administrators can select Large instances to enable more memory intensive workloads, and XL instances for highly interactive websites like online meeting tools which stream two way audio and video.

Q: Does WorkSpaces Web support microphones and web cams?

Yes. Users can connect a mic or camera input to the remote Chrome browser during a session.

Q: How does WorkSpaces Web protect my data?

During a WorkSpaces Web session, web content is ephemerally streamed from WorkSpaces Web to the user in their local browser. Streaming prevents data from residing on remote devices and provides an effective barrier to attacks packaged in web content. At the end of the session, the instance is wiped, helping to protect sensitive corporate data. Throughout this process, data in transit is protected by enterprise-grade encryption. You can choose to create a WorkSpaces Web portal with AWS KMS, which makes it straightforward to create and manage cryptographic keys and control their use across a range of AWS services.

Q: What are the main security differentiators of WorkSpaces Web?

WorkSpaces Web is an AWS service, so your content is handled in a secure environment consistent with AWS standards. As a user of WorkSpaces Web, a part of the cloud is dedicated to your account and handles only your data. WorkSpaces Web allows you to apply enterprise browser policies and session controls over access to the clipboard, file transfer, and printer.

Q: Does WorkSpaces Web prevent web browsers from caching corporate data?

WorkSpaces Web pixel streams web content to the browser, preventing data from residing on the local device or in the web browser.

Q: Can I restrict which devices can access WorkSpaces Web?

By default, WorkSpaces Web allows users to access their portal from anywhere, but you can use IP access controls to filter which IP addresses may connect. When associated with your web portal, IP access settings will detect the user IP before authentication to determine whether they are eligible to connect. Once connected, WorkSpaces Web continuously monitors a user's IP address to ensure they remain connected from a trusted network. If a user's IP changes, WorkSpaces Web will detect and terminate the session.

Q: Can I control which websites users can access during a session?

You can use URL filtering to control which URLs users can access. You can use the console to create allow and deny lists of URLs as a portal setting, or by uploading a browser policy JSON file with URL filtering included. You may also control outbound communication from a portal to the internet by connecting your VPC to a web proxy. You can set proxy settings using Chrome’s policies built into the web browser by setting up an HTTP outbound proxy. For example, if you use a web proxy as the gateway to the internet, you can implement preventive security controls, such as domain allow-listing and content filtering.

Q: Does WorkSpaces Web support YubiKey?

There are two ways you can use YubiKey with WorkSpaces Web. You can use YubiKey for user access and authentication at the start of the session with your IdP. You can also use YubiKey with OTP during the session. Support for U2F is coming soon.

Q: How does WorkSpaces Web manage user access and authentication?

WorkSpaces Web is designed to work with your existing systems and not add extra layers of user management. User authentication and federated sign-in uses your existing SAML 2.0-compliant identity provider (e.g., AWS IAM Identity Center, Okta, or Ping Identity, etc.). Portals can support service provider initiated or identity provider initiated authentication flows.

Q: Does WorkSpaces Web support single sign on?

You can support single sign on for websites that use the same SAML provider you have configured for your web portal (e.g., if you use Okta to authenticate to the portal and to your login-protected web domains). Simply enable the WorkSpaces Web extension for single sign on in your web portal and have your end users install the local extension (available on either the Chrome or Firefox browsers). Then, when your end users authenticate to their WorkSpaces Web browser, the service will seamlessly pass the IdP sign-in cookie to the protected domain, preempting an additional sign-in.

Q: What service monitoring information is available?

You can monitor Amazon WorkSpaces Web using CloudWatch, which collects raw data and processes it into readable, near real-time metrics. These statistics are kept for 15 months, so that you can access historical information and gain a better perspective on how your web application or service is performing. You can also enable user access logging for session data and URL records via kinesis data streams.

Q: Do the WorkSpaces Web APIs log actions in AWS CloudTrail?

Yes. To receive a history of WorkSpaces Web API calls made to your account, you can turn on CloudTrail in the AWS Management Console.

Q: How much does WorkSpaces Web cost?

WorkSpaces Web is a pay-as-you-go service with no minimum fees, upfront commitments, or long-term contracts. Each user has up to 200 streaming hours of access per month, and you are charged monthly based on the number of users that connect to the service. The cost for each user depends on the instance type and region you select for your web portal. Please see our pricing page for the latest information.

Q: What AWS Regions is WorkSpaces Web available in?

WorkSpaces Web is available in the following regions: US East (Northern Virginia), US West (Oregon), Canada (Central), Asia Pacific (Mumbai), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), Europe (Ireland), Europe (London), and Europe (Frankfurt).