AWS WorkSpaces

• Amazon WorkSpaces is a fully managed, secure desktop computing service that runs on the AWS cloud.
• WorkSpaces is a cloud-based virtual desktop that can act as a replacement for a traditional desktop.
• WorkSpaces eliminates the need to procure and deploy hardware or install complex software and the complexity of managing inventory, OS versions and patches, and VDI, which helps simplify the desktop delivery strategy.
• A WorkSpace is available as a bundle of compute resources, storage space, and software applications that allow a user to perform day-to-day tasks just like using a traditional desktop
• WorkSpaces allows users to easily provision cloud-based virtual desktops and provide users access to the documents, applications, and resources they need from any supported device, including computers, Chromebooks, iPads, Fire tablets, and Android tablets.
• Each WorkSpace runs on an individual instance for the assigned user and Applications and users’ documents and settings are persistent.
• WorkSpaces client application needs a supported client device (PC, Mac, iPad, Kindle Fire, or Android tablet), and an Internet connection with TCP ports 443 & 4172, and UDP port 4172 open

WorkSpaces Application Manager – WAM

• WAM offers a fast, flexible, and secure way to deploy and manage applications for WorkSpaces.
• WAM accelerates software deployment, upgrades, patching, and retirement by packaging Microsoft Windows desktop applications into virtualized application containers that run as though they are natively installed.
• WorkSpaces need an Internet connection to receive applications via WAM
• Applications can be packaged using the WAM Studio, validated using the WAM Player, and then uploaded to WAM for use.

WorkSpaces Security

• Users can be quickly added or removed.
• Users can log in to the WorkSpace using their own credentials set when the instance is provisioned
• integrates with the existing Active Directory domain, users can sign in with their regular Active Directory credentials.
• integrates with the existing RADIUS server to enable multi-factor authentication (MFA).
• supports access restriction based on the client OS type and using digital certificates
• VPC Security groups to limit access to resources in the network or the Internet from the WorkSpaces
• IP Access Control Group enables the configuration of trusted IP addresses that are permitted to access the WorkSpaces.
• is PCI compliant and conforms to the Payment Card Industry Data Security Standard (PCI DSS)

WorkSpaces Maintenance & Backup

• WorkSpaces enables maintenance windows for both AlwaysOn and AutoStop WorkSpaces by default.
• AlwaysOn WorkSpaces has a default from 00h00 to 04h00 on Sunday morning
• AutoStop WorkSpaces automatically start once a month to install updates
• User volume is backed-up every 12 hours and if the WorkSpace fails, AWS can restore the volume from the backup

WorkSpaces Encryption

• supports root volume and user volume encryption
• uses EBS volumes that can be encrypted on WorkSpace creation, providing encryption for data stored at rest, disk I/O to the volume, and snapshots created from the volume.
• integrates with the AWS KMS service to allow you to specify the keys you want to use to encrypt the volumes.

WorkSpaces Architecture

• WorkSpaces launches the WorkSpaces in a VPC.
• If using AWS Directory Service to create an AWS Managed Microsoft or a Simple AD, it is recommended to configure the VPC with one public subnet and two private subnets.
• To provide internet access to WorkSpaces in a private subnet, configure a NAT gateway in the public subnet. Configure the directory to launch the WorkSpaces in the private subnets.

AWS Certification Exam Practice Questions

• Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
• AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
• AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
• Open to further feedback, discussion and correction.

1. A company needs to deploy virtual desktops to its customers in a virtual private cloud, leveraging existing security controls. Which set of AWS services and features will meet the company’s requirements?
   1. Virtual Private Network connection. AWS Directory Services, and ClassicLink (ClassicLink allows you to link an EC2-Classic instance to a VPC in your account, within the same region)
   2. Virtual Private Network connection. AWS Directory Services, and Amazon Workspaces (WorkSpaces for Virtual desktops, and AWS Directory Services to authenticate to an existing on-premises AD through VPN)
   3. AWS Directory Service, Amazon Workspaces, and AWS Identity and Access Management (AD service needs a VPN connection to interact with an On-premise AD directory)
   4. Amazon Elastic Compute Cloud, and AWS Identity and Access Management (Need WorkSpaces for virtual desktops)
2. Your company is planning on testing out Amazon workspaces for their account. They are going to allocate a set of workstations with static IP addresses for this purpose. They need to ensure that only these IP addresses have access to Amazon Workspaces. How can you achieve this?
   1. Create an IP Access Control Group
   2. Place a WAF in front of Amazon Workspaces
   3. Specify the IP addresses in the NACL
   4. Specify the IP addresses in the Security Group

References

AWS_WorkSpaces