Applying the Shared Responsibility Model to Amazon WorkSpaces for External Users

BY:

Feb 3, 2021

Here’s a look at the AWS shared responsibility model and how to apply it to WorkSpaces for external users

Key Takeaways

  • Security and compliance are shared responsibilities among Amazon Web Services (AWS) and its users. 
  • The shared responsibility model dictates that AWS manages the infrastructure of its services, while service users must take steps to secure data on these services.
  • AWS’s shared responsibility model applies to Amazon WorkSpaces and requires customers to apply data security measures for internal and external users. 
  • AWS offers recommendations that businesses can use to secure WorkSpaces data and align their security practices with the shared responsibility model. 
  • Along with AWS recommendations, CloudHesive offers Centricity to help businesses optimize security across their WorkSpaces. 

If you use Amazon WorkSpaces to deploy desktops to consultants, third-party vendors, or other external users, you are responsible for securing your data via AWS. This is based on the AWS shared responsibility model, which defines security and compliance as a shared responsibility between AWS and the companies that use its computing services.  

How does it apply to Amazon WorkSpaces for external users?

AWS operates, manages, and controls the infrastructure of its services. This applies to service components from the host operating system and virtualization layer to the physical security of the facilities where the service runs. Meanwhile, AWS customers are responsible for managing the service’s guest operating system, application software, and configuration of an AWS-provided security group firewall.  

With Amazon WorkSpaces, you must secure your corporate data via appropriate permissions and WorkSpaces management. To do so, you must establish WorkSpaces that provide external users with access to your data in alignment with your security and compliance goals.

How to secure your data in Amazon WorkSpaces for external users

Here are the security steps AWS recommends to help you secure your data in WorkSpaces:

1. Define user groups

Establish WorkSpaces user groups to define which individuals have security rights and permissions. Each user group determines who can access different types of data based on your requirements. It also establishes criteria for user authentication. 

To set up a user group, it helps to differentiate internal and external WorkSpaces users. Next, you can classify those users into groups and define your security controls. 

2. Configure WorkSpaces directories

Use directories to manage data and configure WorkSpaces and users. You can access a directory with every WorkSpace you provision and configure it based on your data and users. 

You can create and manage a directory as soon as you provision a WorkSpace. You can also integrate WorkSpaces into an on-premises Microsoft Active Directory, which allows users to use existing credentials to access their WorkSpaces.

3. Create security groups

Use Amazon Virtual Private Cloud (VPC) to implement WorkSpaces security controls across your external users. You can use VPC to configure security groups to ensure external users can only have HTTP and HTTPS access to websites associated with trusted IP addresses. In addition, you can establish security groups with restrictive network access. 

If you want fine-grained access control for individual users, you can establish a security group and attach it to the user’s WorkSpace. In this instance, you can use one directory to manage many users with various network security requirements and ensure only authorized users can access certain data.

4. Deactivate local administrator rights

Disable local administrator rights on WorkSpaces for external users and provide them with access to only preinstalled applications. This minimizes the risk of data loss because external users will have only limited permissions and cannot access or share sensitive information. 

You can deactivate local administrator rights in WorkSpaces via external users’ directories. Once you do so, these directory changes will be applied to new WorkSpaces. If you want to apply these changes to existing WorkSpaces, you’ll need to rebuild them after you implement the changes.

5. Determine IP access control

Establish an IP access control group to set up a virtual firewall that limits access to WorkSpaces. Plus, you can configure IP access control group rules that restrict access to WorkSpaces unless they come from your company’s VPN. 

IP access control groups allow you to manage the source classless inter-domain routing (CIDR) ranges, which enable users to access WorkSpaces. Each group has a set of roles that define a permitted IP address and range of addresses that can be used to access WorkSpaces. You can define rules that verify the ranges of IP addresses for your company’s networks within IP access control groups linked to external user directories. This lets you limit traffic and ensure only certain IPs can access WorkSpaces.

6. Manage trusted devices

Define the devices that can connect to your WorkSpaces. This ensures that external users can only access WorkSpaces via trusted devices. 

You can activate the “managed devices” feature on WorkSpaces for Windows and macOS. This feature lets you grant WorkSpaces access to only devices that have been certified as trusted. If a WorkSpaces application cannot verify that a device is trusted, it will automatically ensure that the device cannot be used to access your AWS instances.

7. Monitor your WorkSpaces

Make WorkSpaces security an ongoing initiative. Continuously monitoring your WorkSpaces ensures you can identify any suspicious activities and potential threats before they lead to a data breach. But, if you watch your infrastructure closely, you’ll be well-equipped to identify and mitigate security issues in their early stages. 

You can use Amazon CloudWatch in conjunction with WorkSpaces to track security, too. CloudWatch lets you view, filter, and respond to WorkSpaces logins and respond to potential security issues in real-time. By integrating CloudWatch into your security plan, you’ll be able to monitor your infrastructure and guard against WorkSpaces security issues. 

Build secure Amazon WorkSpaces

If you think it is easy to secure WorkSpaces for external users, think again. The aforementioned tips can help you setup WorkSpaces in accordance with the shared responsibility model. Yet, if you need extra help to build secure WorkSpaces, you should reach out to an Amazon Managed Service Partner like CloudHesive.

CloudHesive offers a desktop-as-a-service (DaaS) solution powered by Workspaces and our Centricity application. With our support, you can deploy multiple security controls to meet your WorkSpaces security requirements. Contact us today to learn more about how we can help you manage security across your WorkSpaces.

Related Blogs

  • Duplicate flows across multiple flows by using a CI/CD pipeline that eliminates manual flow replication and associated errors." alt="">
    Manage Contact Flows With Amazon Connect APIs

    Programmatically configure and test Amazon Connect contact flows while reducing effort and errors Key Takeaways: New contact flow APIs are easily deployed from an AWS CloudFormation template Contact...

    Learn More
  • A woman working as a contact center agent and using a desktop computer with access to Amazon Connect and Amazon Connect Tasks" alt="">
    Automate, Track, and Manage Tasks for Amazon Connect Contact Center Agents

    Here’s everything you need to know about Amazon Connect Tasks and how it improves agent productivity while enhancing the customer experience Key Takeaways: Contact center agents often track and...

    Learn More
  • The insights offered by Amazon Connect Contact Lens provide unparalleled customer service training opportunities." alt="">
    Run Real-Time Contact Center Analytics on Amazon Connect

    Amazon Connect Contact Lens lets your call center apply machine learning and natural language processing for speech-to-text analysis and real-time insights Key Takeaways: Amazon Connect Contact Lens...

    Learn More