Q: What is Amazon WorkSpaces Web?
Amazon WorkSpaces Web is an on-demand, fully managed, Linux-based service designed to facilitate secure browser access to internal websites and software-as-a-service (SaaS) applications. Access the service from existing web browsers, without the administrative burden of appliances, infrastructure management, specialized client software, or virtual private network (VPN) connections.
Q: Why should I use WorkSpaces Web?
You can use WorkSpaces Web to secure a browser-based productivity environment, allow safe browsing from high-security networks, or facilitate lightweight bring-your-own-device (BYOD) access for browser-only resources. Workloads are often shifting from a traditional desktop environment to SaaS applications or custom-built internal websites. As a result, the browser has become a critical productivity application. Existing solutions to secure browser traffic can be overly permissive, expensive, or complex. WorkSpaces Web was purpose-built to address these pain points. WorkSpaces Web is a straightforward way to provide access to web content while reducing the risks of data exfiltration or unsecured connections with remote devices.
Q: How is WorkSpaces Web related to other AWS end user computing services?
WorkSpaces Web is a new capability for the AWS end user computing category. Each service is designed to provide secure access to a different environment: Amazon WorkSpaces for remote Windows and Linux desktops; WorkSpaces Web for on-demand, automatically managed, browser-based access; and Amazon AppStream2.0 for custom, remote applications.
Q: How do I get started with WorkSpaces Web?
You can get started with WorkSpaces Web from the AWS Management Console. After signing in, search for Amazon WorkSpaces and select the AWS Region that will serve as your home Region. (This is where your WorkSpaces Web portal will be created, your websites rendered, and your user analytics generated.) Select WorkSpaces Web from the left-hand menu in the WorkSpaces console. Then federate your existing SAML-based identity provider with WorkSpaces Web. Next, select an Amazon Virtual Private Cloud (VPC), subnets, a security group with connectivity to the internet, and any internal content you would like to connect with WorkSpaces Web. Finally, apply browser policies and session-level controls to your web portal. Once your WorkSpaces Web portal is created, you can sign in and browse connected websites.
Q: How does WorkSpaces Web communicate with my corporate network?
WorkSpaces Web provisions specific Amazon Elastic Compute Cloud (EC2) instances on demand. Create or identify an existing VPC in your account, select subnets for WorkSpaces Web traffic, and give WorkSpaces Web permission to create Cross-Account Elastic Network Interfaces (X-ENIs) that will be linked to hosts allocated to your account. Your VPC must have a stable connection to the content you wish to use with both WorkSpaces Web and services such as Amazon Simple Storage Service (S3), AWS Key Management Service (KMS), and Amazon CloudWatch. You can set the browser policy using Google Chrome’s 300-plus user and data policies. You can set controls over users' access to file transfer, clipboard, and local printers. You are responsible for the networking from your Amazon VPC to both the internet and any internal content. Your internal content can exist within that VPC (for example, applications hosted on an Amazon EC2 instance), in another Amazon VPC that is peered with it, on premises, or on the public internet. Resources hosted on premises must be accessible via an IPsec tunnel, AWS Direct Connect, or AWS Transit Gateway.
Q: How do my end users get started with WorkSpaces Web?
Once you have completed setup in the AWS Management Console, you can distribute the WorkSpaces Web portal endpoint URL to your users. You can add this URL to your SAML provider application gateway, email it to users, re-direct from a domain you own, or push the URL as a bookmark to a device you manage. Your end users can log in with their SAML identity and start accessing websites using their existing browser.
Q: Which devices are supported at launch?
Users can connect to WorkSpaces Web from desktop or tablet web browsers.
Q: Which web applications can I use with WorkSpaces Web?
WorkSpaces Web pixel streams an up-to-date version of the Google Chrome browser, so if content works in Google Chrome, it will work in WorkSpaces Web. Google Chrome does not have support for sites that require Flash or Java, so by extension WorkSpaces Web would not be compatible with those sites.
Q: Does WorkSpaces Web work with SaaS applications?
WorkSpaces Web can connect to internal or public SaaS web applications. WorkSpaces Web can work with any SaaS web application that works in an up-to-date Google Chrome browser.
Q: Does WorkSpaces Web work with email?
WorkSpaces Web supports web interfaces for email. For example, you can allow end users to access email via Microsoft Outlook Web Access. However, WorkSpaces Web does not support email in native email clients.
Q: How does WorkSpaces Web manage user access and authentication?
WorkSpaces Web is designed to work with your existing systems and not add extra layers of user management. WorkSpaces Web supports user authentication and federated sign-in using any SAML 2.0-compliant identity providers, such as AWS IAM Identity Center.
Q: How is my data protected?
During a WorkSpaces Web session, web content is ephemerally streamed from WorkSpaces Web to the user in their local browser. Streaming prevents data from residing on remote devices and provides an effective barrier to attacks packaged in web content. At the end of the session, the instance is wiped, helping to protect sensitive corporate data. Throughout this process, data in transit is protected by enterprise-grade encryption. You can choose to create a WorkSpaces Web portal with AWS KMS, which makes it straightforward to create and manage cryptographic keys and control their use across a range of AWS services.
Q: What are the main security differentiators of WorkSpaces Web?
WorkSpaces Web is an AWS service, so your content is handled in a secure environment consistent with AWS standards. As a user of WorkSpaces Web, a part of the cloud is dedicated to your account and handles only your data. WorkSpaces Web allows you to apply enterprise browser policies and session controls over access to the clipboard, file transfer, and printer.
Q: Does WorkSpaces Web prevent web browsers from caching corporate data?
WorkSpaces Web pixel streams web content to the browser, preventing data from residing on the local device or in the web browser.
Q: What information can I get from WorkSpaces Web monitoring?
WorkSpaces Web offers two types of metrics - Cloudwatch, and User Access Logs. Cloudwatch metrics provide the following usage information:
- SessionAttempt: the number of WorkSpaces Web session attempts.
- SessionSuccess: the number of successful WorkSpaces Web session starts.
- SessionFailure: the number of failed WorkSpaces Web session starts.
Workspaces Web also enables customers to record user access logs. Customers may choose to enable user access logging which is delivered via kinesis streams. They record the following events:
- Session start - Marks the beginning of the WSW session.
- Session end - Marks the end of the WSW session.
- URL navigation - Logs the URL that the user loaded.
Each event includes the time, username, and web portal ARN.
Q: Do the WorkSpaces Web APIs log actions in AWS CloudTrail?
Yes. To receive a history of WorkSpaces Web API calls made to your account, you can turn on CloudTrail in the AWS Management Console.
Pricing and availability
Q: How much does WorkSpaces Web cost?
WorkSpaces Web is a pay-as-you-go service with no minimum fees, upfront commitments, or long-term contracts. With WorkSpaces Web, users have up to 200 streaming hours of access to the content you connect to, and you are charged monthly based on the number of users that connect to the service. Please see our pricing page for the latest information.
Q: What AWS Regions is WorkSpaces Web available in?
WorkSpaces Web is available in the following regions: US East (Northern Virginia), US West (Oregon), Asia Pacific (Mumbai), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), and Europe (Ireland).