Q: What is Amazon WorkSpaces Web?
Amazon WorkSpaces Web is a low cost, fully managed, Linux-based service, designed to facilitate secure browser access to internal websites and software-as-a-service (SaaS) applications from existing web browsers, without the administrative burden of appliances, managing infrastructure, specialized client software, or virtual private network (VPN) connections.
Q: Why should I use WorkSpaces Web?
You can use WorkSpaces Web to secure a web browser-based productivity environment, enable safe browsing from high-security networks, or facilitate lightweight bring-your-own-device (BYOD) access for browser-only resources. Many workloads are shifting from a traditional desktop environment to SaaS applications or custom-built internal websites. As a result, the browser has become a critical productivity application. Existing solutions to secure browser traffic can be overly permissive, expensive, complex , or all of these. WorkSpaces Web was purpose built to address these pains points, and is a simple way to provide access to web content while reducing risk of data exfiltration or risky connections with remote devices.
Q: How is WorkSpaces Web related to other AWS end user computing services?
Each AWS end user computing service is designed to provide secure access to a different environment: WorkSpaces for fully persistent Windows and Linux virtual desktops; AppStream 2.0 for application streaming or virtual desktops with selective persistence; WorkSpaces Web for low-cost, secure browser-based access to internal web and SasS apps.
Q: How do I get started with WorkSpaces Web?
You can get started with WorkSpaces Web from the AWS Management Console. After signing in, search for Amazon WorkSpaces and select the AWS Region that will serve as your home Region. (This is where your WorkSpaces Web portal will be created, your websites rendered, and your user analytics generated.) Select WorkSpaces Web from the left-hand menu in the WorkSpaces console. Then federate your existing SAML-based identity provider with WorkSpaces Web. Next, select an Amazon Virtual Private Cloud (VPC), subnets, a security group with connectivity to the internet, and any internal content you would like to connect with WorkSpaces Web. Finally, apply browser policies and session-level controls to your web portal. Once your WorkSpaces Web portal is created, you can sign in and browse connected websites.
Q: How does WorkSpaces Web communicate with my corporate network?
WorkSpaces Web provisions specific Amazon Elastic Compute Cloud (EC2) instances on demand. Create or identify an existing VPC in your account, select subnets for WorkSpaces Web traffic, and give WorkSpaces Web permission to create Cross-Account Elastic Network Interfaces (X-ENIs) that will be linked to hosts allocated to your account. Your VPC must have a stable connection to the content you wish to use with both WorkSpaces Web and services such as Amazon Simple Storage Service (S3), AWS Key Management Service (KMS), and Amazon CloudWatch. You can set the browser policy using Google Chrome’s 300-plus user and data policies. You can set controls over users' access to file transfer, clipboard, and local printers. You are responsible for the networking from your Amazon VPC to both the internet and any internal content. Your internal content can exist within that VPC (for example, applications hosted on an Amazon EC2 instance), in another Amazon VPC that is peered with it, on premises, or on the public internet. Resources hosted on premises must be accessible via an IPsec tunnel, AWS Direct Connect, or AWS Transit Gateway.
Q: How do my end users get started with WorkSpaces Web?
Once you have completed setup in the AWS Management Console, you can distribute the WorkSpaces Web portal endpoint URL to your users. You can add this URL to your SAML provider application gateway, email it to users, re-direct from a domain you own, or push the URL as a bookmark to a device you manage. Your end users can log in with their SAML identity and start accessing websites using their existing browser.
Q: Which devices are supported at launch?
Users can connect to WorkSpaces Web from laptop or desktop computers.
Q: Which web applications can I use with WorkSpaces Web?
WorkSpaces Web pixel streams an up-to-date version of the Google Chrome browser, so if website content displays in Google Chrome, it will display in WorkSpaces Web. Google Chrome does not have support for sites that require Flash or Java, so by extension WorkSpaces Web would not be compatible with those sites. Users may connect a local devices microphone input to the remote Chrome browser during a session.
Q: Does WorkSpaces Web work with SaaS applications?
WorkSpaces Web can connect to internal or public SaaS web applications. WorkSpaces Web can work with any SaaS web application that works in an up-to-date Google Chrome browser.
Q: Does WorkSpaces Web work with email?
WorkSpaces Web supports web interfaces for email. For example, you can allow end users to access email via Microsoft Outlook Web Access. However, WorkSpaces Web does not support email in native email clients.
Q: How does WorkSpaces Web manage user access and authentication?
WorkSpaces Web is designed to work with your existing systems and not add extra layers of user management. WorkSpaces Web supports user authentication and federated sign-in using any SAML 2.0-compliant identity providers, such as AWS IAM Identity Center (successor to AWS SSO), OneLogin, Okta, Ping Identity, and others.
Q: How is my data protected?
During a WorkSpaces Web session, web content is ephemerally streamed from WorkSpaces Web to the user in their local browser. Streaming prevents data from residing on remote devices and provides an effective barrier to attacks packaged in web content. At the end of the session, the instance is wiped, helping to protect sensitive corporate data. Throughout this process, data in transit is protected by enterprise-grade encryption. You can choose to create a WorkSpaces Web portal with AWS KMS, which makes it straightforward to create and manage cryptographic keys and control their use across a range of AWS services.
Q: What are the main security differentiators of WorkSpaces Web?
WorkSpaces Web is an AWS service, so your content is handled in a secure environment consistent with AWS standards. As a user of WorkSpaces Web, a part of the cloud is dedicated to your account and handles only your data. WorkSpaces Web allows you to apply enterprise browser policies and session controls over access to the clipboard, file transfer, and printer.
Q: Does WorkSpaces Web prevent web browsers from caching corporate data?
WorkSpaces Web pixel streams web content to the browser, preventing data from residing on the local device or in the web browser.
Q: What information can I get from WorkSpaces Web monitoring?
WorkSpaces Web offers two types of metrics - Cloudwatch, and User Access Logs. Cloudwatch metrics provide the following usage information:
- SessionAttempt: the number of WorkSpaces Web session attempts.
- SessionSuccess: the number of successful WorkSpaces Web session starts.
- SessionFailure: the number of failed WorkSpaces Web session starts.
Workspaces Web also enables customers to record user access logs. Customers may choose to enable user access logging which is delivered via kinesis streams. They record the following events:
- Session start - Marks the beginning of the WSW session.
- Session end - Marks the end of the WSW session.
- URL navigation - Logs the URL that the user loaded.
Each event includes the time, username, and web portal ARN.
Q: Do the WorkSpaces Web APIs log actions in AWS CloudTrail?
Yes. To receive a history of WorkSpaces Web API calls made to your account, you can turn on CloudTrail in the AWS Management Console.
Pricing and availability
Q: How much does WorkSpaces Web cost?
WorkSpaces Web is a pay-as-you-go service with no minimum fees, upfront commitments, or long-term contracts. With WorkSpaces Web, users have up to 200 streaming hours of access to the content you connect to, and you are charged monthly based on the number of users that connect to the service. Please see our pricing page for the latest information.
Q: What AWS Regions is WorkSpaces Web available in?
WorkSpaces Web is available in the following regions: US East (Northern Virginia), US West (Oregon), Canada (Central), Asia Pacific (Mumbai), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), Europe (Ireland), Europe (London), and Europe (Frankfurt).