EUCSEC10-BP01 Implement network separation for AWS EUC instances

Separating end user systems from infrastructure, application servers, and data at the network level verifies that you can enforce minimal access between systems to help prevent unauthorized access to data and applications.

Level of risk exposed if this best practice is not established: High

Implementation guidance

Enforce network separation between user instances and other services. EUC instances provided by Amazon WorkSpaces or WorkSpaces Applications usually have network connectivity to other workloads in the same network subnet. The use of security groups within VPCs can restrict lateral movement and are recommended for implementation. For defense-in-depth, non-end user instances such as application servers, authentication providers, and other infrastructure services should reside on subnets different to those where user instances reside.

You can apply security controls to the non-end user instances at various points using AWS capabilities, such as separate AWS accounts and VPCs, VPC endpoints, proxy servers, and network firewalls. Review network security best practices for WorkSpaces and AppStream 2.0 to improve security posture in your EUC environment.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Infrastructure protection

EUCSEC10-BP02 Restrict access to open ports on instances to reduce risks