# Managing data protection settings in Amazon WorkSpaces Secure Browser
Data Protection Settings are used to help protect data from being shared during a session. Settings can be created and applied to multiple portals.
**Topics**
+ [Inline data redaction in Amazon WorkSpaces Secure Browser](inline-data-redaction.md)
+ [Default redaction configuration in Amazon WorkSpaces Secure Browser](default-redaction-configuration.md)
+ [Base inline redaction in Amazon WorkSpaces Secure Browser](base-inline-redaction.md)
+ [Custom inline redaction in Amazon WorkSpaces Secure Browser](custom-inline-redaction.md)
+ [Create data protection settings in Amazon WorkSpaces Secure Browser](create-data-protection-settings.md)
+ [Associate data protection settings in Amazon WorkSpaces Secure Browser](associate-data-protection-settings.md)
+ [Edit data protection settings in Amazon WorkSpaces Secure Browser](edit-data-protection-settings.md)
+ [Delete data protection settings in Amazon WorkSpaces Secure Browser](delete-data-protection-settings.md)
# Inline data redaction in Amazon WorkSpaces Secure Browser
By adding inline data redaction to a portal, you can automatically predict and redact certain data from a string of text displayed in web pages. You can create redaction policies by choosing from built-in patterns (such as social security numbers or credit card numbers), or create their own custom data types using regular expression and keywords. Policies include configurable levels of enforcement and controls for the URLs where redaction should be enforced.
The following components determine when data is redacted:
+ **Data Protection Settings** - Data Protection Settings is the name of the resource that includes your data types and enforcement criteria. To use this resource, first create your settings, then associate them to a portal. When users launch a session, your settings are enforced during the session.
+ **In-session browser extension** - When you associate redaction settings with your portal, the session browser will launch with a system-enforced browser extension that enforces your settings. Data Protection Settings enforce redaction through pattern matching (Regular Expressions) and keyword searching following your confidence level and URL enforcement configuration. Content is predicted from text strings and redacted before displayed on the screen. The extension also sets related browser policies that govern users' ability to bypass redaction (such as disabled private browsing, access to developer tools, and network inspection).
The following Chrome browser policy changes are enforced by the in-session browser extension. For more information, see [Chrome Enterprise policy list](https://chromeenterprise.google/policies/).
+ Enforce browser policy to prevent users from viewing the session without redaction:
+ [IncognitoModeAvailability](https://chromeenterprise.google/policies/#IncognitoModeAvailability) = 1
+ [DeveloperToolsAvailability](https://chromeenterprise.google/policies/#DeveloperToolsAvailability) = 2
+ [BrowserAddPersonEnabled](https://chromeenterprise.google/policies/#BrowserAddPersonEnabled) = false
+ [BrowserGuestModeEnabled](https://chromeenterprise.google/policies/#BrowserGuestModeEnabled) = false
+ The extension also prevents users from downloading HTML files from URLs that are enforcing data protection settings by canceling the download event.
In general, you should use redaction with private, structured websites (such as your customer management tools, ticketing systems, or wikis), and not for unstructured public browsing (such as Facebook or Google). You can choose from built-in data types (see below for the full list), or define custom data types using your own regular expression values and keywords. Administrators are responsible for testing and validating that each data type, confidence level, and URL enforcement are working as expected. AWS cannot guarantee compatibility with custom websites or applications provided by third parties.
WorkSpaces Secure Browser does not currently support redaction of supported or custom data types in non-text formats, including text in the following formats:
+ Images, such as JPEG, PNG, or GIF
+ Web pages that enable users to use dynamic word processing or editing, such as Google Docs or Sheets
+ Audio or video streams accessed in the browser, such as a YouTube videos
+ PDFs viewed by the Chrome browser
Do not use redaction for content in an unsupported format. Administrators are responsible for validating site and content compatibility prior to granting users access to content they intend to be redacted.
# Default redaction configuration in Amazon WorkSpaces Secure Browser
The default redaction configuration will automatically apply a confidence level and URL enforcement for all built-in data types in the data protection settings. You have the option to override the default configuration when adding a built-in data type.
Confidence levels allow you to fine-tune the redaction logic for built-in data types using a combination of format, keywords, and unformatted text. Choose the level of strictness for how redaction is applied, including High, Medium, or Low. The default value will apply to all data types, unless an override is applied at the data type level. In general, start with a default configuration of Medium, and refine by validating that the redaction is enforced as expected on your sites.
****
| Confidence level | Description | Example |
| --- | --- | --- |
| High | Requires a formatted text pattern match in order for content to be redacted. | SSN of 123-45-6798 would be redacted, while 123456789 would not. |
| Medium | Redaction considers both formatted and unformatted text, and adds keyword associate to the logic. | SSN of 123-45-6798 would be redacted. 123456789 would be redacted if detected nearby a keyword (such as "social security number"). |
| Low | Redaction enforced for both formatted pattern \$1 unformatted pattern without keyword. | SSN in either format - 123-45-6798 and 123456789 - are redacted without requiring keyword. |
You must set the default redaction configuration for all data types. You can choose from the following options:
+ All URLs
+ Specific URLs
+ Advanced configuration
The default value will apply to all data types, unless an override is applied at the data type level. URL enforcement uses similar logic to Chrome policy for managing allow and blocklists. For guidance using block and allow URLs, see [Allow or block access to websites](https://support.google.com/chrome/a/answer/7532419?hl=en#zippy=%2Clinux). For the best results, add URLs to these lists following Chrome's blocklist filter format. For more information, see [URL blocklist filter format](https://support.google.com/chrome/a/answer/9942583?_ga=2.44620960.505898626.1675896662-439274379.1675896662&visit_id=638114931513376779-3689089291&p=url_blocklist_filter_format&rd=1).
# Base inline redaction in Amazon WorkSpaces Secure Browser
Inline data redaction has support for built-in patterns (such as social security numbers and credit card numbers), which you can find listed under **Base inline redaction**. Choose the data type(s) from the drop-down menu, and specify the replacement value for each data type. All data types follow the default configuration enforcement pattern above, but you can choose to override the confidence level, and fine-tune the domain enforcement pattern for each data type.
To enter an alternative value from the default configuration, choose **Confidence level override**. For example, with the default configuration set to Medium, you might notice during testing that one of your data types is not being redacted reliably. You can set the override to Low to increase the chance of redaction, without adjusting the logic used for your other data types.
To fine-tune the way redaction is applied across URLs without changing the default configuration, apply **URL enforcement overrides**. For example, you can set use URL overrides to enforce email address redaction in your customer relationship management system, without breaking user access to email addresses in the company directory website or web based email.
The following is a list of data types and their corresponding built-in pattern IDs:
****
| builtInPatternId | Data type |
| --- | --- |
| awsAccessKey: | AWS Access Key |
| awsSecretKey: | AWS Secret Key |
| cardNumbers: | Credit Card Numbers |
| crypto: | Cryptocurrency Addresses |
| cusipNum: | CUSIP Number |
| date: | Date |
| deaNum: | US DEA Numbers |
| dob: | Date of Birth |
| driversLicense: | US Driver’s Licenses |
| emailAddress: | Email Address |
| ein: | US Employer Identification Number |
| expDate: | Credit Card Expiration Date |
| healthInsuranceNum: | Medicare Health Insurance Claim Number |
| hipaaCode: | HIPAA ICD-10 Code |
| indivTaxId: | US Individual Tax Id |
| ipAddr: | IP Address |
| isin: | International Securities Identification Numbers |
| jwt: | JSON Web Token |
| locationCoord: | Location Coordinates |
| macAddr: | MAC Address |
| medicareBeneficiaryId: | Medicare Beneficiary Number |
| npi: | National Provider Identification Number |
| ndc: | National Drug Codes (NDC) |
| passportNum: | US Passport Number |
| phoneNum: | Phone Number |
| routingNumber: | ABA Routing Number |
| ssn: | US Social Security Number |
| swiftCode: | SWIFT Code |
| time: | Time |
| vin: | US Vehicle Identification Number |
# Custom inline redaction in Amazon WorkSpaces Secure Browser
Customers can define their own patterns using regular expression, such as custom internal application IDs. To create your custom inline redaction pattern, follow these steps:
1. Go to your data protection setting.
1. Choose **Custom inline redaction** and **add**.
1. Enter a name for the custom data type.
1. Enter your regular expression value.
+ Regular expression values must match the JavaScript regular expression literal syntax. For more information, see [Regular expressions](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_expressions). An example regular expression is `/ex[am]+ple/i`.
+ Make sure to test your custom patterns on the websites that you plan on supporting. If custom patterns are written with errors, they can introduce unintended performance issues.
1. Specify the replacement value.
1. Choose **More options** for more optional customizations, including the following:
+ Add **keywords** to fine tune the redaction logic. Keywords can increase the accuracy of enforcement. Add keywords in the Javascript regular expression literal syntax. For more information, see [Regular expressions](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_expressions).
For example, if you are creating a custom redaction pattern for client IDs used in an internal system, you can add `/client name/i` to the keyword field to inform the scanning and detection logic.
+ Apply **URL enforcement overrides** to fine-tune the way redaction is applied across URLs, without changing the default configuration.
For example, you can set use URL overrides to enforce email address redaction in your customer relationship management system, without breaking user access to email addresses in the company directory website or web-based email.
+ Enter a **description** (optional) for the data type.
# Create data protection settings in Amazon WorkSpaces Secure Browser
You can create data protection settings in WorkSpaces Secure Browser.
**To create data protection settings**
1. Open the WorkSpaces Secure Browser console at [https://console.aws.amazon.com/workspaces-web/home?region=us-east-1#/](https://console.aws.amazon.com/workspaces-web/home?region=us-east-1#/).
1. In the left-hand navigation pane, choose **Data Protection Settings**.
1. Choose **Create Data Protection Settings**.
1. Enter a display name (required) and description (optional) for the setting.
1. Select the default settings for inline redaction. You can set the following:
+ The level of strictness of all data types
+ The domains on which redaction should be enforced
1. Choose your base inline redaction data types from the supported types, or create a custom data type. You can set overrides for each data type, including the level of strictness and domain exceptions.
1. Add any **Tags** (optional) for reporting.
1. When you are done, choose **Save**.
# Associate data protection settings in Amazon WorkSpaces Secure Browser
You can associate data protection settings in WorkSpaces Secure Browser.
**To associate a data protection setting with an existing portal**
1. Open the WorkSpaces Secure Browser console at [https://console.aws.amazon.com/workspaces-web/home?region=us-east-1#/](https://console.aws.amazon.com/workspaces-web/home?region=us-east-1#/).
1. In the left hand navigation pane, choose **Web portals**.
1. Select the web portal, and choose **Edit**.
1. Under **Data protection settings**, select the setting for your portal.
1. Choose **Save**.
To associate a data protection setting when creating a new portal, follow these steps.
**To associate a data protection setting when creating a new portal**
1. Follow the instructions in [Creating a web portal for Amazon WorkSpaces Secure Browser](getting-started-step1.md) to create a portal, until you get to **data protection setting**.
1. Choose your **data protection setting** from the drop-down menu.
1. Complete the steps in [Creating a web portal for Amazon WorkSpaces Secure Browser](getting-started-step1.md) to finish creating your portal.
To create a data protection setting when creating a new portal, follow these steps.
**To create a data protection setting when creating a new portal**
1. Follow the instructions in [Creating a web portal for Amazon WorkSpaces Secure Browser](getting-started-step1.md) to create a portal, until you get to **data protection setting**.
1. Choose **data protection settings** from the drop-down menu.
1. Enter a display name (required) and description (optional) for the setting.
1. Select the default settings for inline redaction. You can set the following:
+ The level of strictness of all data types
+ The domains on which redaction should be enforced
1. Choose your base inline redaction data types from the supported types, or create a custom data type. You can set overrides for each data type, including the level of strictness and domain exceptions.
1. Add any **Tags** (optional) for reporting.
1. When you are done, choose **Save**.
1. Select the refresh button under **data protection settings**, then choose your data protection setting from the drop-down menu.
1. Continue to follow the create portal instructions to finish creating your portal.
# Edit data protection settings in Amazon WorkSpaces Secure Browser
You can edit data protection settings in WorkSpaces Secure Browser.
**To edit data protection settings**
1. Open the WorkSpaces Secure Browser console at [https://console.aws.amazon.com/workspaces-web/home?region=us-east-1#/](https://console.aws.amazon.com/workspaces-web/home?region=us-east-1#/).
1. Choose **data protections settings** and the data protection setting you want to edit from the list view.
1. You can update the name, description, default settings, data types (supported or custom), and apply confidence level or domain overrides.
1. Choose **Save**.
# Delete data protection settings in Amazon WorkSpaces Secure Browser
You can delete data protection settings in WorkSpaces Secure Browser.
**To delete data protection settings**
1. If you have a portal associated with a data protection setting, you must first remove the association before deleting the data protection setting.
1. Open the WorkSpaces Secure Browser console at [https://console.aws.amazon.com/workspaces-web/home?region=us-east-1#/](https://console.aws.amazon.com/workspaces-web/home?region=us-east-1#/).
1. Choose **data protections settings** and the data protection setting you want to delete from the list view.
1. Choose **Delete**.