Applying the Shared Responsibility Model to Amazon WorkSpaces for External Users

BY:

Feb 3, 2021

Here’s a look at the AWS shared responsibility model and how to apply it to WorkSpaces for external users

Key Takeaways

  • Security and compliance are shared responsibilities among Amazon Web Services (AWS) and its users. 
  • The shared responsibility model dictates that AWS manages the infrastructure of its services, while service users must take steps to secure data on these services.
  • AWS’s shared responsibility model applies to Amazon WorkSpaces and requires customers to apply data security measures for internal and external users. 
  • AWS offers recommendations that businesses can use to secure WorkSpaces data and align their security practices with the shared responsibility model. 
  • Along with AWS recommendations, CloudHesive offers Centricity to help businesses optimize security across their WorkSpaces. 

If you use Amazon WorkSpaces to deploy desktops to consultants, third-party vendors, or other external users, you are responsible for securing your data via AWS. This is based on the AWS shared responsibility model, which defines security and compliance as a shared responsibility between AWS and the companies that use its computing services.  

How does it apply to Amazon WorkSpaces for external users?

AWS operates, manages, and controls the infrastructure of its services. This applies to service components from the host operating system and virtualization layer to the physical security of the facilities where the service runs. Meanwhile, AWS customers are responsible for managing the service’s guest operating system, application software, and configuration of an AWS-provided security group firewall.  

With Amazon WorkSpaces, you must secure your corporate data via appropriate permissions and WorkSpaces management. To do so, you must establish WorkSpaces that provide external users with access to your data in alignment with your security and compliance goals.

How to secure your data in Amazon WorkSpaces for external users

Here are the security steps AWS recommends to help you secure your data in WorkSpaces:

1. Define user groups

Establish WorkSpaces user groups to define which individuals have security rights and permissions. Each user group determines who can access different types of data based on your requirements. It also establishes criteria for user authentication. 

To set up a user group, it helps to differentiate internal and external WorkSpaces users. Next, you can classify those users into groups and define your security controls. 

2. Configure WorkSpaces directories

Use directories to manage data and configure WorkSpaces and users. You can access a directory with every WorkSpace you provision and configure it based on your data and users. 

You can create and manage a directory as soon as you provision a WorkSpace. You can also integrate WorkSpaces into an on-premises Microsoft Active Directory, which allows users to use existing credentials to access their WorkSpaces.

3. Create security groups

Use Amazon Virtual Private Cloud (VPC) to implement WorkSpaces security controls across your external users. You can use VPC to configure security groups to ensure external users can only have HTTP and HTTPS access to websites associated with trusted IP addresses. In addition, you can establish security groups with restrictive network access. 

If you want fine-grained access control for individual users, you can establish a security group and attach it to the user’s WorkSpace. In this instance, you can use one directory to manage many users with various network security requirements and ensure only authorized users can access certain data.

4. Deactivate local administrator rights

Disable local administrator rights on WorkSpaces for external users and provide them with access to only preinstalled applications. This minimizes the risk of data loss because external users will have only limited permissions and cannot access or share sensitive information. 

You can deactivate local administrator rights in WorkSpaces via external users’ directories. Once you do so, these directory changes will be applied to new WorkSpaces. If you want to apply these changes to existing WorkSpaces, you’ll need to rebuild them after you implement the changes.

5. Determine IP access control

Establish an IP access control group to set up a virtual firewall that limits access to WorkSpaces. Plus, you can configure IP access control group rules that restrict access to WorkSpaces unless they come from your company’s VPN. 

IP access control groups allow you to manage the source classless inter-domain routing (CIDR) ranges, which enable users to access WorkSpaces. Each group has a set of roles that define a permitted IP address and range of addresses that can be used to access WorkSpaces. You can define rules that verify the ranges of IP addresses for your company’s networks within IP access control groups linked to external user directories. This lets you limit traffic and ensure only certain IPs can access WorkSpaces.

6. Manage trusted devices

Define the devices that can connect to your WorkSpaces. This ensures that external users can only access WorkSpaces via trusted devices. 

You can activate the “managed devices” feature on WorkSpaces for Windows and macOS. This feature lets you grant WorkSpaces access to only devices that have been certified as trusted. If a WorkSpaces application cannot verify that a device is trusted, it will automatically ensure that the device cannot be used to access your AWS instances.

7. Monitor your WorkSpaces

Make WorkSpaces security an ongoing initiative. Continuously monitoring your WorkSpaces ensures you can identify any suspicious activities and potential threats before they lead to a data breach. But, if you watch your infrastructure closely, you’ll be well-equipped to identify and mitigate security issues in their early stages. 

You can use Amazon CloudWatch in conjunction with WorkSpaces to track security, too. CloudWatch lets you view, filter, and respond to WorkSpaces logins and respond to potential security issues in real-time. By integrating CloudWatch into your security plan, you’ll be able to monitor your infrastructure and guard against WorkSpaces security issues. 

Build secure Amazon WorkSpaces

If you think it is easy to secure WorkSpaces for external users, think again. The aforementioned tips can help you setup WorkSpaces in accordance with the shared responsibility model. Yet, if you need extra help to build secure WorkSpaces, you should reach out to an Amazon Managed Service Partner like CloudHesive.

CloudHesive offers a desktop-as-a-service (DaaS) solution powered by Workspaces and our Centricity application. With our support, you can deploy multiple security controls to meet your WorkSpaces security requirements. Contact us today to learn more about how we can help you manage security across your WorkSpaces.

Related Blogs

  • A woman wearing a phone headset sits at a computer looking at the screen while apparently talking to a customer. On the screen is a larger background window with information, and a small pop-out window." alt="">
    Extend the Amazon Connect Contact Control Panel With CTI Actions

    The Amazon Connect Computer Telephony Integration (CTI) Adapter for Salesforce lets users leverage CTI Actions to extend their Contact Control Panel (CCP).  Key takeaways: The Amazon Connect CTI...

    Learn More
  • A penguin on a white computer vector graphic represents an Amazon Linux WorkSpace." alt="">
    How to Manage Amazon Linux WorkSpaces at Scale

    Discover how integrating Amazon WorkSpaces with AWS OpsWorks for Chef Automate can simplify the management of Amazon Linux WorkSpaces at scale Key Takeaways: Amazon Web Services, like Amazon...

    Learn More
  • " alt="">
    New! Disable Rollback for AWS CloudFormation

    AWS’ native Infrastructure as Code (IaC) service, CloudFormation has a new feature named “Disable Rollback”. Disable Rollback works exactly as it sounds and as easily as it sounds. If, during...

    Learn More