EUCSEC10-BP02 Restrict access to open ports on instances to reduce risks

Restrict use of network ports on end user systems to reduce the potential exposure surface of these systems. Block network ports that aren't required for the operation and support of end user systems using host-based or network firewalls.

Level of risk exposed if this best practice is not established: High

Implementation guidance

Implement networking security controls on Amazon EUC instances. AWS provides several services and capabilities that can help you secure AWS EUC instances for Amazon WorkSpaces and WorkSpaces Applications. In addition to these services, consider OS capabilities and additional software to provide the required level of security.

For AWS networking, the following services and features should be evaluated: 

Consider these services to create a baseline of network security. Additionally, review and explore best practices for VPC and networking in WorkSpaces, as well as best practices for deploying WorkSpaces Applications, as you evaluate your network security.

In addition to AWS security capabilities and services, when users require access to the Internet from browsers installed in Amazon WorkSpaces or WorkSpaces Applications instances, consider using a web proxy to log web site access and implement restrictions on where users can browse.

In Amazon WorkSpaces and WorkSpaces Applications instances, consider existing OS software to harden the instances. For example, you can use host-based firewalls available within the operating system to restrict accessible ports in your instances. In addition, consider endpoint protection software to identify and mitigate security risks that may be introduced into the environment using software local to the instances. For detail on the ports required by Amazon WorkSpaces and WorkSpaces Applications, see the following: