# Security in Amazon WorkSpaces
Cloud security at AWS is the highest priority. As an AWS customer, you benefit from a data center and network architecture that is built to meet the requirements of the most security-sensitive organizations.
Security is a shared responsibility between AWS and you. The [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) describes this as security *of* the cloud and security *in* the cloud:
+ **Security of the cloud** – AWS is responsible for protecting the infrastructure that runs AWS services in the AWS Cloud. AWS also provides you with services that you can use securely. Third-party auditors regularly test and verify the effectiveness of our security as part of the [AWS Compliance Programs](https://aws.amazon.com/compliance/programs/). To learn about the compliance programs that apply to Amazon WorkSpaces, see [AWS Services in Scope by Compliance Program](https://aws.amazon.com/compliance/services-in-scope/).
+ **Security in the cloud** – Your responsibility is determined by the AWS service that you use. You are also responsible for other factors including the sensitivity of your data, your company’s requirements, and applicable laws and regulations
This documentation helps you understand how to apply the shared responsibility model when using WorkSpaces. The following topics show you how to configure WorkSpaces to meet your security and compliance objectives. You also learn how to use other AWS services that help you to monitor and secure your WorkSpaces resources.
**Topics**
+ [Data protection in Amazon WorkSpaces](data-protection.md)
+ [Identity and access management for WorkSpaces](workspaces-access-control.md)
+ [Compliance validation for Amazon WorkSpaces](compliance-validation.md)
+ [Resilience in Amazon WorkSpaces](disaster-recovery-resiliency.md)
+ [Infrastructure Security in Amazon WorkSpaces](infrastructure-security.md)
+ [Update management in WorkSpaces](update-management.md)
# Data protection in Amazon WorkSpaces
The AWS [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) applies to data protection in Amazon WorkSpaces. As described in this model, AWS is responsible for protecting the global infrastructure that runs all of the AWS Cloud. You are responsible for maintaining control over your content that is hosted on this infrastructure. You are also responsible for the security configuration and management tasks for the AWS services that you use. For more information about data privacy, see the [Data Privacy FAQ](https://aws.amazon.com/compliance/data-privacy-faq/). For information about data protection in Europe, see the [AWS Shared Responsibility Model and GDPR](https://aws.amazon.com/blogs/security/the-aws-shared-responsibility-model-and-gdpr/) blog post on the *AWS Security Blog*.
For data protection purposes, we recommend that you protect AWS account credentials and set up individual users with AWS IAM Identity Center or AWS Identity and Access Management (IAM). That way, each user is given only the permissions necessary to fulfill their job duties. We also recommend that you secure your data in the following ways:
+ Use multi-factor authentication (MFA) with each account.
+ Use SSL/TLS to communicate with AWS resources. We require TLS 1.2 and recommend TLS 1.3.
+ Set up API and user activity logging with AWS CloudTrail. For information about using CloudTrail trails to capture AWS activities, see [Working with CloudTrail trails](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-trails.html) in the *AWS CloudTrail User Guide*.
+ Use AWS encryption solutions, along with all default security controls within AWS services.
+ Use advanced managed security services such as Amazon Macie, which assists in discovering and securing sensitive data that is stored in Amazon S3.
+ If you require FIPS 140-3 validated cryptographic modules when accessing AWS through a command line interface or an API, use a FIPS endpoint. For more information about the available FIPS endpoints, see [Federal Information Processing Standard (FIPS) 140-3](https://aws.amazon.com/compliance/fips/).
We strongly recommend that you never put confidential or sensitive information, such as your customers' email addresses, into tags or free-form text fields such as a **Name** field. This includes when you work with WorkSpaces or other AWS services using the console, API, AWS CLI, or AWS SDKs. Any data that you enter into tags or free-form text fields used for names may be used for billing or diagnostic logs. If you provide a URL to an external server, we strongly recommend that you do not include credentials information in the URL to validate your request to that server.
For more information about WorkSpaces and FIPS endpoint encryption, see [Configure FedRAMP authorization or DoD SRG compliance for WorkSpaces Personal](fips-encryption.md).
## Encryption at rest
You can encrypt the storage volumes for your WorkSpaces using AWS KMS Key from AWS Key Management Service. For more information, see [Encrypted WorkSpaces in WorkSpaces Personal](encrypt-workspaces.md).
When you create WorkSpaces with encrypted volumes, WorkSpaces uses Amazon Elastic Block Store (Amazon EBS) to create and manage those volumes. EBS encrypts your volumes with a data key using the industry-standard AES-256 algorithm. For more information, see [ Amazon EBS Encryption](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html) in the *Amazon EC2 User Guide*.
## Encryption in transit
For PCoIP, data in-transit is encrypted using TLS 1.2 encryption and SigV4 request signing. The PCoIP protocol uses encrypted UDP traffic, with AES encryption, for streaming pixels.The streaming connection, using port 4172 (TCP and UDP), is encrypted by using AES-128 and AES-256 ciphers, but the encryption defaults to 128-bit. You can change this default to 256-bit, either by using the **Configure PCoIP Security Settings** Group Policy setting for Windows WorkSpaces, or by modifying the **PCoIP Security Settings** in the `pcoip-agent.conf` file for Amazon Linux WorkSpaces.
To learn more about Group Policy administration for Amazon WorkSpaces, see [Configure PCoIP security settings](group_policy.md#gp_security) in [Manage your Windows WorkSpaces in WorkSpaces Personal](group_policy.md). To learn more about modifying the `pcoip-agent.conf` file, see [Control PCoIP Agent behavior on Amazon Linux WorkSpaces](manage_linux_workspace.md#pcoip_agent_linux) and [ PCoIP Security Settings](https://www.teradici.com/web-help/pcoip_agent/standard_agent/linux/21.03/admin-guide/configuring/configuring/#pcoip-security-settings) in the Teradici documentation.
For DCV, streaming and control data in-transit is encrypted using TLS 1.3 encryption for UDP traffic and TLS 1.2 encryption for TCP traffic, with AES-256 ciphers.
# Identity and access management for WorkSpaces
By default, IAM users don't have permissions for WorkSpaces resources and operations. To allow IAM users to manage WorkSpaces resources, you must create an IAM policy that explicitly grants them permissions, and attach the policy to the IAM users or groups that require those permissions.
**Note**
Amazon WorkSpaces doesn’t support the provisioning of IAM credentials into a WorkSpace (such as with an instance profile).
To provide access, add permissions to your users, groups, or roles:
+ Users and groups in AWS IAM Identity Center:
Create a permission set. Follow the instructions in [Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/howtocreatepermissionset.html) in the *AWS IAM Identity Center User Guide*.
+ Users managed in IAM through an identity provider:
Create a role for identity federation. Follow the instructions in [Create a role for a third-party identity provider (federation)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-idp.html) in the *IAM User Guide*.
+ IAM users:
+ Create a role that your user can assume. Follow the instructions in [Create a role for an IAM user](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-user.html) in the *IAM User Guide*.
+ (Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in [Adding permissions to a user (console)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the *IAM User Guide*.
Following are additional resources for IAM:
+ For more information about IAM policies, see [Policies and Permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) in the *IAM User Guide* guide.
+ For more information about IAM, see [Identity and Access Management (IAM)](https://aws.amazon.com/iam) and the [https://docs.aws.amazon.com/IAM/latest/UserGuide/](https://docs.aws.amazon.com/IAM/latest/UserGuide/).
+ For more information about WorkSpaces-specific resources, actions, and condition context keys for use in IAM permission policies, see [Actions, Resources, and Condition Keys for Amazon WorkSpaces](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonworkspaces.html) in the *IAM User Guide*.
+ For a tool that helps you create IAM policies, see the [AWS Policy Generator](https://aws.amazon.com/blogs/aws/aws-policy-generator/). You can also use the [IAM Policy Simulator](https://docs.aws.amazon.com/IAM/latest/UsingPolicySimulatorGuide/) to test whether a policy would allow or deny a specific request to AWS.
**Topics**
+ [Example policies](#workspaces-example-iam-policies)
+ [Specify WorkSpaces resources in an IAM policy](#wsp_iam_resource)
+ [Create the workspaces\$1DefaultRole Role](#create-default-role)
+ [Create the AmazonWorkSpacesPCAAccess service role](#create-pca-access-role)
+ [AWS managed policies for WorkSpaces](managed-policies.md)
+ [Access to WorkSpaces and scripts on streaming instances](using-iam-roles-to-grant-permissions-to-applications-scripts-streaming-instances.md)
+ [Amazon WorkSpaces Console operations permissions reference](wsp-console-permissions-ref.md)
## Example policies
The following examples show policy statements that you could use to control the permissions that IAM users have to Amazon WorkSpaces.
### Example 1: Grant access to perform WorkSpaces personal and pools tasks
The following policy statement grants an IAM user permission to perform WorkSpaces personal and pools tasks.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ds:*",
"workspaces:*",
"application-autoscaling:DeleteScalingPolicy",
"application-autoscaling:DeleteScheduledAction",
"application-autoscaling:DeregisterScalableTarget",
"application-autoscaling:DescribeScalableTargets",
"application-autoscaling:DescribeScalingActivities",
"application-autoscaling:DescribeScalingPolicies",
"application-autoscaling:DescribeScheduledActions",
"application-autoscaling:PutScalingPolicy",
"application-autoscaling:PutScheduledAction",
"application-autoscaling:RegisterScalableTarget",
"cloudwatch:DeleteAlarms",
"cloudwatch:DescribeAlarms",
"cloudwatch:PutMetricAlarm",
"ec2:AssociateRouteTable",
"ec2:AttachInternetGateway",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateInternetGateway",
"ec2:CreateNetworkInterface",
"ec2:CreateRoute",
"ec2:CreateRouteTable",
"ec2:CreateSecurityGroup",
"ec2:CreateSubnet",
"ec2:CreateTags",
"ec2:CreateVpc",
"ec2:DeleteNetworkInterface",
"ec2:DeleteSecurityGroup",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInternetGateways",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"iam:AttachRolePolicy",
"iam:CreatePolicy",
"iam:CreateRole",
"iam:GetRole",
"iam:ListRoles",
"iam:PutRolePolicy",
"kms:ListAliases",
"kms:ListKeys",
"secretsmanager:ListSecrets",
"tag:GetResources",
"sso-directory:SearchUsers",
"sso:CreateApplication",
"sso:DeleteApplication",
"sso:DescribeApplication",
"sso:DescribeInstance",
"sso:GetApplicationGrant",
"sso:ListInstances",
"sso:PutApplicationAssignmentConfiguration",
"sso:PutApplicationAuthenticationMethod",
"sso:PutApplicationGrant"
],
"Resource": "*"
},
{
"Sid": "iamPassRole",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:PassedToService": "workspaces.amazonaws.com"
}
}
}
]
}
```
------
### Example 2: Grant access to perform WorkSpaces Personal tasks
The following policy statement grants an IAM user permission to perform all WorkSpaces Personal tasks.
Although Amazon WorkSpaces fully supports the `Action` and `Resource` elements when using the API and command line tools, to use Amazon WorkSpaces from the AWS Management Console, an IAM user must have permissions for the following actions and resources:
+ Actions: `"ds:*"`
+ Resources: `"Resource": "*"`
The following example policy shows how to allow an IAM user to use Amazon WorkSpaces from the AWS Management Console.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"workspaces:*",
"ds:*",
"iam:GetRole",
"iam:CreateRole",
"iam:PutRolePolicy",
"iam:CreatePolicy",
"iam:AttachRolePolicy",
"iam:ListRoles",
"kms:ListAliases",
"kms:ListKeys",
"ec2:CreateVpc",
"ec2:CreateSubnet",
"ec2:CreateNetworkInterface",
"ec2:CreateInternetGateway",
"ec2:CreateRouteTable",
"ec2:CreateRoute",
"ec2:CreateTags",
"ec2:CreateSecurityGroup",
"ec2:DescribeInternetGateways",
"ec2:DescribeSecurityGroups",
"ec2:DescribeRouteTables",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeAvailabilityZones",
"ec2:AttachInternetGateway",
"ec2:AssociateRouteTable",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DeleteSecurityGroup",
"ec2:DeleteNetworkInterface",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"secretsmanager:ListSecrets",
"sso-directory:SearchUsers",
"sso:CreateApplication",
"sso:DeleteApplication",
"sso:DescribeApplication",
"sso:DescribeInstance",
"sso:GetApplicationGrant",
"sso:ListInstances",
"sso:PutApplicationAssignmentConfiguration",
"sso:PutApplicationAuthenticationMethod",
"sso:PutApplicationGrant"
],
"Resource": "*"
},
{
"Sid": "iamPassRole",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:PassedToService": "workspaces.amazonaws.com"
}
}
}
]
}
```
------
### Example 3: Grant access to perform WorkSpaces Pools tasks
The following policy statement grants an IAM user permission to perform all WorkSpaces Pools tasks.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"workspaces:*",
"application-autoscaling:DeleteScalingPolicy",
"application-autoscaling:DeleteScheduledAction",
"application-autoscaling:DeregisterScalableTarget",
"application-autoscaling:DescribeScalableTargets",
"application-autoscaling:DescribeScalingActivities",
"application-autoscaling:DescribeScalingPolicies",
"application-autoscaling:DescribeScheduledActions",
"application-autoscaling:PutScalingPolicy",
"application-autoscaling:PutScheduledAction",
"application-autoscaling:RegisterScalableTarget",
"cloudwatch:DeleteAlarms",
"cloudwatch:DescribeAlarms",
"cloudwatch:PutMetricAlarm",
"ec2:CreateSecurityGroup",
"ec2:CreateTags",
"ec2:DescribeInternetGateways",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"iam:AttachRolePolicy",
"iam:CreatePolicy",
"iam:CreateRole",
"iam:GetRole",
"iam:ListRoles",
"iam:PutRolePolicy",
"secretsmanager:ListSecrets",
"tag:GetResources"
],
"Resource": "*"
},
{
"Sid": "iamPassRole",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:PassedToService": "workspaces.amazonaws.com"
}
}
},
{
"Action": "iam:CreateServiceLinkedRole",
"Effect": "Allow",
"Resource": "arn:aws:iam::*:role/aws-service-role/workspaces.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_WorkSpacesPool",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "workspaces.application-autoscaling.amazonaws.com"
}
}
}
]
}
```
------
### Example 4: Perform all WorkSpaces tasks for BYOL WorkSpaces
The following policy statement grants an IAM user permission to perform all WorkSpaces tasks, including those Amazon EC2 tasks necessary for creating Bring Your Own License (BYOL) WorkSpaces.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ds:*",
"workspaces:*",
"ec2:AssociateRouteTable",
"ec2:AttachInternetGateway",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateInternetGateway",
"ec2:CreateNetworkInterface",
"ec2:CreateRoute",
"ec2:CreateRouteTable",
"ec2:CreateSecurityGroup",
"ec2:CreateSubnet",
"ec2:CreateTags",
"ec2:CreateVpc",
"ec2:DeleteNetworkInterface",
"ec2:DeleteSecurityGroup",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeImages",
"ec2:DescribeInternetGateways",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:ModifyImageAttribute",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"iam:CreateRole",
"iam:GetRole",
"iam:PutRolePolicy",
"kms:ListAliases",
"kms:ListKeys"
],
"Resource": "*"
},
{
"Sid": "iamPassRole",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:PassedToService": "workspaces.amazonaws.com"
}
}
}
]
}
```
------
## Specify WorkSpaces resources in an IAM policy
To specify an WorkSpaces resource in the `Resource` element of the policy statement, use the Amazon Resource Name (ARN) of the resource. You control access to your WorkSpaces resources by either allowing or denying permissions to use the API actions that are specified in the `Action` element of your IAM policy statement. WorkSpaces defines ARNs for WorkSpaces, bundles, IP groups, and directories.
### WorkSpace ARN
A WorkSpace ARN has the syntax shown in the following example.
```
arn:aws:workspaces:region:account_id:workspace/workspace_identifier
```
*region*
The Region that the WorkSpace is in (for example, `us-east-1`).
*account\$1id*
The ID of the AWS account, with no hyphens (for example, `123456789012`).
*workspace\$1identifier*
The ID of the WorkSpace (for example, `ws-a1bcd2efg`).
The following is the format of the `Resource` element of a policy statement that identifies a specific WorkSpace.
```
"Resource": "arn:aws:workspaces:region:account_id:workspace/workspace_identifier"
```
You can use the `*` wildcard to specify all WorkSpaces that belong to a specific account in a specific Region.
### WorkSpace pool ARN
A WorkSpace pool ARN has the syntax shown in the following example.
```
arn:aws:workspaces:region:account_id:workspacespool/workspacespool_identifier
```
*region*
The Region that the WorkSpace is in (for example, `us-east-1`).
*account\$1id*
The ID of the AWS account, with no hyphens (for example, `123456789012`).
*workspacespool\$1identifier*
The ID of the WorkSpace pool (for example, `ws-a1bcd2efg`).
The following is the format of the `Resource` element of a policy statement that identifies a specific WorkSpace.
```
"Resource": "arn:aws:workspaces:region:account_id:workspacespool/workspacespool_identifier"
```
You can use the `*` wildcard to specify all WorkSpaces that belong to a specific account in a specific Region.
### Certificate ARN
A WorkSpace certificate ARN has the syntax shown in the following example.
```
arn:aws:workspaces:region:account_id:workspacecertificate/workspacecertificateidentifier
```
*region*
The Region that the WorkSpace is in (for example, `us-east-1`).
*account\$1id*
The ID of the AWS account, with no hyphens (for example, `123456789012`).
*workspacecertificate\$1identifier*
The ID of the WorkSpace certificate (for example, `ws-a1bcd2efg`).
The following is the format of the `Resource` element of a policy statement that identifies a specific WorkSpace certificate.
```
"Resource": "arn:aws:workspaces:region:account_id:workspacecertificate/workspacecertificate_identifier"
```
You can use the `*` wildcard to specify all WorkSpaces that belong to a specific account in a specific Region.
### Image ARN
A WorkSpace image ARN has the syntax shown in the following example.
```
arn:aws:workspaces:region:account_id:workspaceimage/image_identifier
```
*region*
The Region that the WorkSpace image is in (for example, `us-east-1`).
*account\$1id*
The ID of the AWS account, with no hyphens (for example, `123456789012`).
*bundle\$1identifier*
The ID of the WorkSpace image (for example, `wsi-a1bcd2efg`).
The following is the format of the `Resource` element of a policy statement that identifies a specific image.
```
"Resource": "arn:aws:workspaces:region:account_id:workspaceimage/image_identifier"
```
You can use the `*` wildcard to specify all images that belong to a specific account in a specific Region.
### Bundle ARN
A bundle ARN has the syntax shown in the following example.
```
arn:aws:workspaces:region:account_id:workspacebundle/bundle_identifier
```
*region*
The Region that the WorkSpace is in (for example, `us-east-1`).
*account\$1id*
The ID of the AWS account, with no hyphens (for example, `123456789012`).
*bundle\$1identifier*
The ID of the WorkSpace bundle (for example, `wsb-a1bcd2efg`).
The following is the format of the `Resource` element of a policy statement that identifies a specific bundle.
```
"Resource": "arn:aws:workspaces:region:account_id:workspacebundle/bundle_identifier"
```
You can use the `*` wildcard to specify all bundles that belong to a specific account in a specific Region.
### IP Group ARN
An IP group ARN has the syntax shown in the following example.
```
arn:aws:workspaces:region:account_id:workspaceipgroup/ipgroup_identifier
```
*region*
The Region that the WorkSpace is in (for example, `us-east-1`).
*account\$1id*
The ID of the AWS account, with no hyphens (for example, `123456789012`).
*ipgroup\$1identifier*
The ID of the IP group (for example, `wsipg-a1bcd2efg`).
The following is the format of the `Resource` element of a policy statement that identifies a specific IP group.
```
"Resource": "arn:aws:workspaces:region:account_id:workspaceipgroup/ipgroup_identifier"
```
You can use the `*` wildcard to specify all IP groups that belong to a specific account in a specific Region.
### Directory ARN
A directory ARN has the syntax shown in the following example.
```
arn:aws:workspaces:region:account_id:directory/directory_identifier
```
*region*
The Region that the WorkSpace is in (for example, `us-east-1`).
*account\$1id*
The ID of the AWS account, with no hyphens (for example, `123456789012`).
*directory\$1identifier*
The ID of the directory (for example, `d-12345a67b8`).
The following is the format of the `Resource` element of a policy statement that identifies a specific directory.
```
"Resource": "arn:aws:workspaces:region:account_id:directory/directory_identifier"
```
You can use the `*` wildcard to specify all directories that belong to a specific account in a specific Region.
### Connection alias ARN
A connection alias ARN has the syntax shown in the following example.
```
arn:aws:workspaces:region:account_id:connectionalias/connectionalias_identifier
```
*region*
The Region that the connection alias is in (for example, `us-east-1`).
*account\$1id*
The ID of the AWS account, with no hyphens (for example, `123456789012`).
*connectionalias\$1identifier*
The ID of the connection alias (for example, `wsca-12345a67b8`).
The following is the format of the `Resource` element of a policy statement that identifies a specific connection alias.
```
"Resource": "arn:aws:workspaces:region:account_id:connectionalias/connectionalias_identifier"
```
You can use the `*` wildcard to specify all connection aliases that belong to a specific account in a specific Region.
### API actions with no support for resource-level permissions
You can't specify a resource ARN with the following API actions:
+ `AssociateIpGroups`
+ `CreateIpGroup`
+ `CreateTags`
+ `DeleteTags`
+ `DeleteWorkspaceImage`
+ `DescribeAccount`
+ `DescribeAccountModifications`
+ `DescribeIpGroups`
+ `DescribeTags`
+ `DescribeWorkspaceDirectories`
+ `DescribeWorkspaceImages`
+ `DescribeWorkspaces`
+ `DescribeWorkspacesConnectionStatus`
+ `DisassociateIpGroups`
+ `ImportWorkspaceImage`
+ `ListAvailableManagementCidrRanges`
+ `ModifyAccount`
For API actions that don't support resource-level permissions, you must specify the resource statement shown in the following example.
```
"Resource": "*"
```
### API actions that don't support account-level restrictions on shared resources
For the following API actions, you can't specify an account ID in the resource ARN when the resource isn't owned by the account:
+ `AssociateConnectionAlias`
+ `CopyWorkspaceImage`
+ `DisassociateConnectionAlias`
For these API actions, you can specify an account ID in the resource ARN only when that account owns the resources to be acted upon. When the account doesn't own the resources, you must specify `*` for the account ID, as shown in the following example.
```
"arn:aws:workspaces:region:*:resource_type/resource_identifier"
```
## Create the workspaces\$1DefaultRole Role
Before you can register a directory using the API, you must verify that a role named `workspaces_DefaultRole` exists. This role is created by the Quick Setup or if you launch a WorkSpace using the AWS Management Console, and it grants Amazon WorkSpaces permission to access specific AWS resources on your behalf. If this role does not exist, you can create it using the following procedure.
**To create the workspaces\$1DefaultRole role**
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane on the left, choose **Roles**.
1. Choose **Create role**.
1. Under **Select type of trusted entity**, choose **Another AWS account**.
1. For **Account ID**, enter your account ID with no hyphens or spaces.
1. For **Options**, do not specify multi-factor authentication (MFA).
1. Choose **Next: Permissions**.
1. On the **Attach permissions policies** page, select the AWS managed policies **AmazonWorkSpacesServiceAccess**, **AmazonWorkSpacesSelfServiceAccess**, and **AmazonWorkSpacesPoolServiceAccess**. For more information about these managed policies, see [AWS managed policies for WorkSpaces](managed-policies.md).
1. Under **Set permissions boundary**, we recommend that you not use a permissions boundary because of the potential for conflicts with the policies that are attached to this role. Such conflicts could block certain necessary permissions for the role.
1. Choose **Next: Tags**.
1. On the **Add tags (optional)** page, add tags if needed.
1. Choose **Next: Review**.
1. On the **Review** page, for **Role name**, enter **workspaces\$1DefaultRole**.
1. (Optional) For **Role description**, enter a description.
1. Choose **Create Role**.
1. On the **Summary** page for the workspaces\$1DefaultRole role, choose the **Trust relationships** tab.
1. On the **Trust relationships** tab, choose **Edit trust relationship**.
1. On the **Edit Trust Relationship** page, replace the existing policy statement with the following statement.
```
{
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "workspaces.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
```
1. Choose **Update Trust Policy**.
## Create the AmazonWorkSpacesPCAAccess service role
Before users can login using certificate-based authentication, you must verify that a role named `AmazonWorkSpacesPCAAccess` exists. This role is created when you enable certificate-based authentication on a Directory using the AWS Management Console, and it grants Amazon WorkSpaces permission to access AWS Private CA resources on your behalf. If this role does not exist because you are not using the console to manage certificate-based authentication, you can create it using the following procedure.
**To create the AmazonWorkSpacesPCAAccess service role using the AWS CLI**
1. Create a JSON file named `AmazonWorkSpacesPCAAccess.json` with the following text.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "prod.euc.ecm.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
```
------
1. Adjust the `AmazonWorkSpacesPCAAccess.json` path as needed and run the following AWS CLI commands to create the service role and attach the [AmazonWorkspacesPCAAccess](managed-policies.md#workspaces-pca-access) managed policy.
```
aws iam create-role --path /service-role/ --role-name AmazonWorkSpacesPCAAccess --assume-role-policy-document file://AmazonWorkSpacesPCAAccess.json
```
```
aws iam attach-role-policy —role-name AmazonWorkSpacesPCAAccess —policy-arn arn:aws:iam::aws:policy/AmazonWorkspacesPCAAccess
```
# AWS managed policies for WorkSpaces
Using AWS managed policies makes adding permissions to users, groups, and roles easier than writing policies yourself. It takes time and expertise to create [ IAM customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create-console.html) that provide your team with only the permissions they need. Use AWS managed policies to get started quickly. These policies cover common use cases and are available in your AWS account. For more information about AWS managed policies, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*.
AWS services maintain and update AWS managed policies. You can't change the permissions in AWS managed policies. Services may occasionally add additional permissions to an AWS managed policy to support new features. This type of update affects all identities (users, groups, and roles) where the policy is attached. Services are most likely to update an AWS managed policy when a new feature is launched or when new operations become available. Services don't remove permissions from an AWS managed policy, so policy updates won't break your existing permissions.
Additionally, AWS supports managed policies for job functions that span multiple services. For example, the `ReadOnlyAccess` AWS managed policy provides read-only access to all AWS services and resources. When a service launches a new feature, AWS adds read-only permissions for new operations and resources. For a list and descriptions of job function policies, see [AWS managed policies for job functions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html) in the *IAM User Guide*.
## AWS managed policy: AmazonWorkSpacesAdmin
**Note**
Permissions listed are for SDK only and will not work for the Console. Console requires additional permissions listed in [Amazon WorkSpaces Console operations permissions reference](wsp-console-permissions-ref.md).
This policy provides access to Amazon WorkSpaces administrative actions. It provides the following permissions:
+ `workspaces` - Allows access to perform administrative actions on WorkSpaces Personal and WorkSpaces Pools resources.
+ `kms` - Allows access to list and describe KMS keys, as well as list aliases.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AmazonWorkSpacesAdmin",
"Effect": "Allow",
"Action": [
"kms:DescribeKey",
"kms:ListAliases",
"kms:ListKeys",
"workspaces:CreateTags",
"workspaces:CreateWorkspaceImage",
"workspaces:CreateWorkspaces",
"workspaces:CreateWorkspacesPool",
"workspaces:CreateStandbyWorkspaces",
"workspaces:DeleteTags",
"workspaces:DeregisterWorkspaceDirectory",
"workspaces:DescribeTags",
"workspaces:DescribeWorkspaceBundles",
"workspaces:DescribeWorkspaceDirectories",
"workspaces:DescribeWorkspaces",
"workspaces:DescribeWorkspacesPools",
"workspaces:DescribeWorkspacesPoolSessions",
"workspaces:DescribeWorkspacesConnectionStatus",
"workspaces:ModifyCertificateBasedAuthProperties",
"workspaces:ModifySamlProperties",
"workspaces:ModifyStreamingProperties",
"workspaces:ModifyWorkspaceCreationProperties",
"workspaces:ModifyWorkspaceProperties",
"workspaces:RebootWorkspaces",
"workspaces:RebuildWorkspaces",
"workspaces:RegisterWorkspaceDirectory",
"workspaces:RestoreWorkspace",
"workspaces:StartWorkspaces",
"workspaces:StartWorkspacesPool",
"workspaces:StopWorkspaces",
"workspaces:StopWorkspacesPool",
"workspaces:TerminateWorkspaces",
"workspaces:TerminateWorkspacesPool",
"workspaces:TerminateWorkspacesPoolSession",
"workspaces:UpdateWorkspacesPool"
],
"Resource": "*"
}
]
}
```
------
## AWS managed policy: AmazonWorkspacesPCAAccess
This managed policy provides access to AWS Certificate Manager Private Certificate Authority (Private CA) resources in your AWS account for certificate-based authentication. It is included in the AmazonWorkSpacesPCAAccess role, and it provides the following permissions:
+ `acm-pca` - Allows access to AWS Private CA to manage certificate-based authentication.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"acm-pca:IssueCertificate",
"acm-pca:GetCertificate",
"acm-pca:DescribeCertificateAuthority"
],
"Resource": "arn:*:acm-pca:*:*:*",
"Condition": {
"StringLike": {
"aws:ResourceTag/euc-private-ca": "*"
}
}
}
]
}
```
------
## AWS managed policy: AmazonWorkSpacesSelfServiceAccess
This policy provides access to the Amazon WorkSpaces service to perform WorkSpaces self-service actions initiated by a user. It is included in the `workspaces_DefaultRole` role, and it provides the following permissions:
+ `workspaces` - Allows access to self-service WorkSpaces management capabilities for users.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"workspaces:RebootWorkspaces",
"workspaces:RebuildWorkspaces",
"workspaces:ModifyWorkspaceProperties"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
```
------
## AWS managed policy: AmazonWorkSpacesServiceAccess
This policy provides customer account access to the Amazon WorkSpaces service for launching a WorkSpace. It is included in the `workspaces_DefaultRole` role, and it provides the following permissions:
+ `ec2` - Allows access to manage Amazon EC2 resources associated with a WorkSpace, such as network interfaces.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface",
"ec2:DescribeNetworkInterfaces"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
```
------
## AWS managed policy: AmazonWorkSpacesPoolServiceAccess
This policy is used in the workspaces\$1DefaultRole, which WorkSpaces uses to access required resources in the customer AWS account for WorkSpaces Pools. For more information see [Create the workspaces\$1DefaultRole Role](workspaces-access-control.md#create-default-role). It provides the following permissions:
+ `ec2` - Allows access to manage Amazon EC2 resources associated with a WorkSpaces Pool, such as VPCs, subnets, availability zones, security groups, and route tables.
+ `s3` - Allows access to perform actions on Amazon S3 buckets required for logs, application settings, and the Home Folder feature.
------
#### [ Commercial AWS Regions ]
The following policy JSON applies to the commercial AWS Regions.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ProvisioningWorkSpacesPoolPermissions",
"Effect": "Allow",
"Action": [
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeSecurityGroups",
"ec2:DescribeRouteTables",
"s3:ListAllMyBuckets"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "WorkSpacesPoolS3Permissions",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:GetObjectVersion",
"s3:DeleteObjectVersion",
"s3:GetBucketPolicy",
"s3:PutBucketPolicy",
"s3:PutEncryptionConfiguration"
],
"Resource": [
"arn:aws:s3:::wspool-logs-*",
"arn:aws:s3:::wspool-app-settings-*",
"arn:aws:s3:::wspool-home-folder-*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
}
]
}
```
------
------
#### [ AWS GovCloud (US) Regions ]
The following policy JSON applies to the commercial AWS GovCloud (US) Regions.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ProvisioningWorkSpacesPoolPermissions",
"Effect": "Allow",
"Action": [
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeSecurityGroups",
"ec2:DescribeRouteTables",
"s3:ListAllMyBuckets"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "WorkSpacesPoolS3Permissions",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:GetObjectVersion",
"s3:DeleteObjectVersion",
"s3:GetBucketPolicy",
"s3:PutBucketPolicy",
"s3:PutEncryptionConfiguration"
],
"Resource": [
"arn:aws-us-gov:s3:::wspool-logs-*",
"arn:aws-us-gov:s3:::wspool-app-settings-*",
"arn:aws-us-gov:s3:::wspool-home-folder-*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
}
]
}
```
------
------
## WorkSpaces updates to AWS managed policies
View details about updates to AWS managed policies for WorkSpaces since this service began tracking these changes.
| Change | Description | Date |
| --- | --- | --- |
| [AWS managed policy: AmazonWorkSpacesPoolServiceAccess](#workspaces-pools-service-access) - Added new policy | WorkSpaces added a new managed policy to grant permission to view Amazon EC2 VPCs and related resources, and to view and manage Amazon S3 buckets for WorkSpaces Pools. | June 24, 2024 |
| [AWS managed policy: AmazonWorkSpacesAdmin](#workspaces-admin) - Updated policy | WorkSpaces added several actions for WorkSpaces Pools to the Amazon WorkSpacesAdmin managed policy, granting admins access to manage WorkSpace Pool resources. | June 24, 2024 |
| [AWS managed policy: AmazonWorkSpacesAdmin](#workspaces-admin) - Updated policy | WorkSpaces added the workspaces:RestoreWorkspace action to the Amazon WorkSpacesAdmin managed policy, granting admins access to restore WorkSpaces. | June 25, 2023 |
| [AWS managed policy: AmazonWorkspacesPCAAccess](#workspaces-pca-access) - Added new policy | WorkSpaces added a new managed policy to grant acm-pca permission to manage AWS Private CA to manage certificate-based authentication. | November 18, 2022 |
| WorkSpaces started tracking changes | WorkSpaces started tracking changes for its WorkSpaces managed policies. | March 1, 2021 |
# Access to WorkSpaces and scripts on streaming instances
Applications and scripts that run on WorkSpaces streaming instances must include AWS credentials in their AWS API requests. You can create an IAM role to manage these credentials. An IAM role specifies a set of permissions that you can use to access AWS resources. This role is not uniquely associated with one person, however. Instead, it can be assumed by anyone that needs it.
You can apply an IAM role to a WorkSpaces streaming instance. When the streaming instance switches to (assumes) the role, the role provides temporary security credentials. Your application or scripts use these credentials to perform API actions and management tasks on the streaming instance. WorkSpaces manages the temporary credential switch for you.
**Topics**
+ [Best Practices for Using IAM Roles With WorkSpaces Streaming Instances](#best-practices-for-using-iam-role-with-streaming-instances)
+ [Configuring an Existing IAM Role to Use With WorkSpaces Streaming Instances](#configuring-existing-iam-role-to-use-with-streaming-instances)
+ [How to Create an IAM Role to Use With WorkSpaces Streaming Instances](#how-to-create-iam-role-to-use-with-streaming-instances)
+ [How to Use the IAM Role With WorkSpaces Streaming Instances](#how-to-use-iam-role-with-streaming-instances)
## Best Practices for Using IAM Roles With WorkSpaces Streaming Instances
When you use IAM roles with WorkSpaces streaming instances, we recommend that you follow these practices:
+ Limit the permissions that you grant to AWS API actions and resources.
Follow least privilege principles when you create and attach IAM policies to the IAM roles associated with WorkSpaces streaming instances. When you use an application or script that requires access to AWS API actions or resources, determine the specific actions and resources that are required. Then, create policies that allow the application or script to perform only those actions. For more information, see [Grant Least Privilege](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege) in the *IAM User Guide*.
+ Create an IAM role for each WorkSpaces resource.
Creating a unique IAM role for each WorkSpaces resource is a practice that follows least privilege principles. Doing so also lets you modify permissions for a resource without affecting other resources.
+ Limit where the credentials can be used.
IAM policies let you define the conditions under which your IAM role can be used to access a resource. For example, you can include conditions to specify a range of IP addresses that requests can come from. Doing so prevents the credentials from being used outside of your environment. For more information, see [Use Policy Conditions for Extra Security](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#use-policy-conditions) in the *IAM User Guide*.
## Configuring an Existing IAM Role to Use With WorkSpaces Streaming Instances
This topic describes how to configure an existing IAM role so that you can use it with WorkSpaces .
**Prerequisites**
The IAM role that you want to use with WorkSpaces must meet the following prerequisites:
+ The IAM role must be in the same Amazon Web Services account as the WorkSpaces streaming instance.
+ The IAM role cannot be a service role.
+ The trust relationship policy that is attached to the IAM role must include the WorkSpaces service as the principal. A *principal* is an entity in AWS that can perform actions and access resources. The policy must also include the `sts:AssumeRole` action. This policy configuration defines WorkSpaces as a trusted entity.
+ If you are applying the IAM role to WorkSpaces, the WorkSpaces must run a version of the WorkSpaces agent released on or after September 3, 2019. If you are applying the IAM role to WorkSpaces, the WorkSpaces must use an image that uses a version of the agent released on or after the same date.
**To enable the WorkSpaces service principal to assume an existing IAM role**
To perform the following steps, you must sign into the account as an IAM user who has the permissions required to list and update IAM roles. If you don't have the required permissions, ask your Amazon Web Services account administrator either to perform these steps in your account or to grant you the required permissions.
1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Roles**.
1. In the list of roles in your account, choose the name of the role that you want to modify.
1. Choose the **Trust relationships** tab, and then choose **Edit trust relationship**.
1. Under **Policy Document**, verify that the trust relationship policy includes the `sts:AssumeRole` action for the `workspaces.amazonaws.com` service principal:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"workspaces.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
```
------
1. When you are finished editing your trust policy, choose **Update Trust Policy** to save your changes.
1. The IAM role that you selected will display in the WorkSpaces console. This role grants permissions to applications and scripts to perform API actions and management tasks on streaming instances.
## How to Create an IAM Role to Use With WorkSpaces Streaming Instances
This topic describes how to create a new IAM role so that you can use it with WorkSpaces
1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Roles**, and then choose **Create role**.
1. For **Select type of trusted entity**, choose **AWS service**.
1. From the list of AWS services, choose **WorkSpaces**.
1. Under **Select your use case**, **WorkSpaces — Allows WorkSpaces instances to call AWS services on your behalf** is already selected. Choose **Next: Permissions**.
1. If possible, select the policy to use for the permissions policy or choose **Create policy** to open a new browser tab and create a new policy from scratch. For more information, see step 4 in the procedure [Creating IAM Policies (Console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html#access_policies_create-start) in the *IAM User Guide*.
After you create the policy, close that tab and return to your original tab. Select the check box next to the permissions policies that you want WorkSpaces to have.
1. (Optional) Set a permissions boundary. This is an advanced feature that is available for service roles, but not service-linked roles. For more information, see [Permissions Boundaries for IAM Entities ](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide*.
1. Choose **Next: Tags**. You can optionally attach tags as key-value pairs. For more information, see [Tagging IAM Users and Roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide*.
1. Choose **Next: Review**.
1. For **Role name**, type a role name that is unique within your Amazon Web Services account. Because other AWS resources might reference the role, you can't edit the name of the role after it has been created.
1. For **Role description**, keep the default role description or type a new one.
1. Review the role, and then choose **Create role**.
## How to Use the IAM Role With WorkSpaces Streaming Instances
After you create an IAM role, you can apply it to WorkSpaces when you launch WorkSpaces. You can also apply an IAM role to existing WorkSpaces.
When you apply an IAM role to WorkSpaces, WorkSpaces retrieves temporary credentials and creates the **workspaces\$1machine\$1role** credential profile on the instance. The temporary credentials are valid for 1 hour, and new credentials retrieved every hour. The previous credentials do not expire, so you can use them for as long as they are valid. You can use the credential profile to call AWS services programmatically by using the AWS Command Line Interface (AWS CLI), AWS Tools for PowerShell, or the AWS SDK with the language of your choice.
When you make the API calls, specify **workspaces\$1machine\$1role** as the credential profile. Otherwise, the operation fails due to insufficient permissions.
WorkSpaces assumes the specified role while the streaming instance is provisioned. Because WorkSpaces uses the elastic network interface that is attached to your VPC for AWS API calls, your application or script must wait for the elastic network interface to become available before making AWS API calls. If API calls are made before the elastic network interface is available, the calls fail.
The following examples show how you can use the **workspaces\$1machine\$1role** credential profile to describe streaming instances (EC2 instances) and to create the Boto client. Boto is the Amazon Web Services (AWS) SDK for Python.
**Describe Streaming Instances (EC2 instances) by Using the AWS CLI**
```
aws ec2 describe-instances --region us-east-1 --profile workspaces_machine_role
```
**Describe Streaming Instances (EC2 instances) by Using AWS Tools for PowerShell**
You must use AWS Tools for PowerShell version 3.3.563.1 or later, with the Amazon Web Services SDK for .NET version 3.3.103.22 or later. You can download the AWS Tools for Windows installer, which includes AWS Tools for PowerShell and the Amazon Web Services SDK for .NET, from the [AWS Tools for PowerShell](https://aws.amazon.com/powershell/) website.
```
Get-EC2Instance -Region us-east-1 -ProfileName workspaces_machine_role
```
**Creating the Boto Client by Using the AWS SDK for Python**
```
session = boto3.Session(profile_name=workspaces_machine_role')
```
# Amazon WorkSpaces Console operations permissions reference
Some Amazon WorkSpaces APIs can only be called through the AWS Management Console. They are not public APIs, in the sense they cannot be called programmatically, and they are not provided by any SDK. These API operations include:
+ workspaces:DirectoryAccessManagement
+ workspaces:CreateRootClientCertificate
+ workspaces:UpdateRootClientCertificate
+ workspaces:DeleteRootClientCertificate
+ workspaces:DescribeConsent
+ workspaces:UpdateConsent
+ workspaces:InvokeTroubleshootingInvestigation
+ workspaces:GetTroubleshootingRecommendation
+ workspaces:ListTroubleshootingRecommendations
## WorkSpaces Console operations and required permissions for actions
The console uses additional API actions for its features, so the permissions for the WorkSpaces public APIs may not be sufficient. For example, a user that has permissions to use the [CreateWorkspaces](https://docs.aws.amazon.com/workspaces/latest/api/API_CreateWorkspaces.html) API via CLI/SDK may encounter errors when trying to create a WorkSpace on the console, because they are missing certain permissions to select or create Users. This table lists the features that are only available on the WorkSpaces Console and the required additional permissions that enable users to work with these specific parts of the console.
The [Example policies](https://docs.aws.amazon.com/workspaces/latest/adminguide/workspaces-access-control.html#workspaces-example-iam-policies) section provides the list of permissions to perform all WorkSpaces tasks for Personal, Pools and BYOL WorkSpaces.
Alternatively, you could also use granular permissions to apply least-privilege permissions to perform a task.
This table lists the WorkSpaces Console features that rely on the APIs that are not provided by the SDK and the required permissions that enable users to work with these specific parts of the console. These permissions should be added in addition to other actions required for APIs provided by the SDK.
| WorkSpaces Console operations | Required permissions |
| --- | --- |
| [WorkSpaces Personal Quick Setup](https://docs.aws.amazon.com/workspaces/latest/adminguide/managing-wsp-personal.html#getting-started) | workspaces:DirectoryAccessManagement ds:\$1 ec2:CreateVpc ec2:CreateSubnet ec2:CreateNetworkInterface ec2:CreateInternetGateway ec2:CreateRouteTable ec2:CreateRoute ec2:CreateTags ec2:CreateSecurityGroup ec2:DescribeInternetGateways ec2:DescribeSecurityGroups ec2:DescribeRouteTables ec2:DescribeVpcs ec2:DescribeSubnets ec2:DescribeNetworkInterfaces ec2:DescribeAvailabilityZones ec2:AttachInternetGateway ec2:AssociateRouteTable ec2:AuthorizeSecurityGroupIngress ec2:AuthorizeSecurityGroupEgress iam:CreateRole iam:GetRole iam:PutRolePolicy workspaces:DescribeAccount workspaces:DescribeWorkspaceDirectories workspaces:CreateWorkspaces workspaces:DescribeWorkspaces workspaces:RegisterWorkspaceDirectory workspaces:DescribeWorkspaceBundles workspaces:DescribeWorkspaces |
| [Restrict access to Trusted Devices for WorkSpaces Personal](https://docs.aws.amazon.com/workspaces/latest/adminguide/trusted-devices.html#configure-restriction) | workspaces:CreateRootClientCertificate workspaces:UpdateRootClientCertificate workspaces:DeleteRootClientCertificate ds:DescribeDirectories ec2:DescribeSubnets ec2:DescribeSecurityGroups workspaces:DescribeAccount workspaces:DescribeWorkspaceDirectories workspaces:DescribeTags workspaces:DescribeClientProperties workspaces:DescribeConnectClientAddins workspaces:DirectoryAccessManagement |
| [Creating a WorkSpace in WorkSpaces Personal on the Console](https://docs.aws.amazon.com/workspaces/latest/adminguide/create-workspaces-personal.html) – To create/search/describe Directory Service directory users | workspaces:DirectoryAccessManagement workspaces:DescribeAccount workspaces:CreateWorkspaces workspaces:DescribeWorkspaces workspaces:DescribeWorkspaceDirectories workspaces:DescribeWorkspaceBundles workspaces:DescribeTags workspaces:CreateTags workspaces:DescribeClientProperties kms:ListKeys kms:ListAliases kms:DescribeKey ds:DescribeTrusts ds:DescribeDirectories ec2:DescribeSubnets ec2:DescribeSecurityGroups |
| [Manage users in WorkSpaces Personal](https://docs.aws.amazon.com/workspaces/latest/adminguide/manage-workspaces-users.html) – To edit users and send user invitation email | workspaces:DirectoryAccessManagement workspaces:DescribeAccount workspaces:DescribeWorkspaceDirectories workspaces:DescribeWorkspaces workspaces:DescribeTags workspaces:DescribeWorkspaceBundles workspaces:DescribeWorkspacesConnectionStatus workspaces:DescribeWorkspaceAssociations workspaces:DescribeWorkspaceSnapshots workspaces:DescribeWorkspaceImages workspaces:DescribeConnectionAliases |
| [Update the AD Connector account (AD Connector) for WorkSpaces Personal](https://docs.aws.amazon.com/workspaces/latest/adminguide/connect-account.html) | workspaces:DirectoryAccessManagement ds:DescribeDirectories ds:UpdateDirectory ec2:DescribeSubnets ec2:DescribeSecurityGroups workspaces:DescribeAccount workspaces:DescribeWorkspaceDirectories workspaces:DescribeTags workspaces:DescribeClientProperties workspaces:DescribeConnectClientAddins |
| [Select an organizational unit for WorkSpaces Personal](https://docs.aws.amazon.com/workspaces/latest/adminguide/select-ou.html) | workspaces:DirectoryAccessManagement ds:DescribeDirectories ec2:DescribeSubnets ec2:DescribeSecurityGroups workspaces:DescribeAccount workspaces:DescribeWorkspaceDirectories workspaces:DescribeTags workspaces:DescribeClientProperties workspaces:DescribeConnectClientAddins workspaces:ModifyWorkspaceCreationProperties |
| [Enable your account for BYOL](https://docs.aws.amazon.com/workspaces/latest/adminguide/byol-windows-images.html) – To confirm understanding of the requirements to use BYOL WorkSpaces | workspaces:DescribeConsent workspaces:UpdateConsent workspaces:DescribeAccount workspaces:ListAccountLinks workspaces:DescribeWorkspaceBundles workspaces:DescribeWorkspaceImages workspaces:DescribeWorkspaceDirectories |
| [Amazon WorkSpaces Advisor](https://docs.aws.amazon.com/workspaces/latest/adminguide/workspaces-advisor.html) | workspaces:InvokeTroubleshootingInvestigation workspaces:GetTroubleshootingRecommendation workspaces:ListTroubleshootingRecommendations |
# Compliance validation for Amazon WorkSpaces
Third-party auditors assess the security and compliance of Amazon WorkSpaces as part of multiple AWS compliance programs. These include SOC, PCI, FedRAMP, HIPAA, and others.
For a list of AWS services in scope of specific compliance programs, see [AWS Services in Scope by Compliance Program](https://aws.amazon.com/compliance/services-in-scope/). For general information, see [AWS Compliance Programs](https://aws.amazon.com/compliance/programs/).
You can download third-party audit reports using AWS Artifact. For more information, see [Downloading Reports in AWS Artifact](https://docs.aws.amazon.com/artifact/latest/ug/downloading-documents.html).
For more information about WorkSpaces and FedRAMP, see [Configure FedRAMP authorization or DoD SRG compliance for WorkSpaces Personal](fips-encryption.md).
Your compliance responsibility when using WorkSpaces is determined by the sensitivity of your data, your company's compliance objectives, and applicable laws and regulations. AWS provides the following resources to help with compliance:
+ [Security and Compliance Quick Start Guides](https://aws.amazon.com/quickstart/?awsf.quickstart-homepage-filter=categories%23security-identity-compliance) – These deployment guides discuss architectural considerations and provide steps for deploying security- and compliance-focused baseline environments on AWS.
+ [Architecting for HIPAA Security and Compliance on Amazon Web Services](https://docs.aws.amazon.com/pdfs/whitepapers/latest/architecting-hipaa-security-and-compliance-on-aws/architecting-hipaa-security-and-compliance-on-aws.pdf) – This whitepaper describes how companies can use AWS to create HIPAA-compliant applications.
+ [AWS Compliance Resources](https://aws.amazon.com/compliance/resources/) – This collection of workbooks and guides might apply to your industry and location.
+ [Evaluating Resources with Rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config.html) in the *AWS Config Developer Guide* – AWS Config; assesses how well your resource configurations comply with internal practices, industry guidelines, and regulations.
+ [AWS Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html) – This AWS service provides a comprehensive view of your security state within AWS that helps you check your compliance with security industry standards and best practices.
# Resilience in Amazon WorkSpaces
The AWS global infrastructure is built around AWS Regions and Availability Zones. Regions provide multiple physically separated and isolated Availability Zones, which are connected through low-latency, high-throughput, and highly redundant networking. With Availability Zones, you can design and operate applications and databases that automatically fail over between zones without interruption. Availability Zones are more highly available, fault tolerant, and scalable than traditional single or multiple data center infrastructures.
For more information about AWS Regions and Availability Zones, see [AWS Global Infrastructure](https://aws.amazon.com/about-aws/global-infrastructure/).
Amazon WorkSpaces also provides cross-Region redirection, a feature that works with your Domain Name System (DNS) failover routing policies to redirect your WorkSpaces users to alternative WorkSpaces in another AWS Region when their primary WorkSpaces aren't available. For more information, see [Cross-Region redirection for WorkSpaces Personal](cross-region-redirection.md).
# Infrastructure Security in Amazon WorkSpaces
As a managed service, Amazon WorkSpaces is protected by AWS global network security. For information about AWS security services and how AWS protects infrastructure, see [AWS Cloud Security](https://aws.amazon.com/security/). To design your AWS environment using the best practices for infrastructure security, see [Infrastructure Protection](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/infrastructure-protection.html) in *Security Pillar AWS Well‐Architected Framework*.
You use AWS published API calls to access WorkSpaces through the network. Clients must support the following:
+ Transport Layer Security (TLS). We require TLS 1.2 and recommend TLS 1.3.
+ Cipher suites with perfect forward secrecy (PFS) such as DHE (Ephemeral Diffie-Hellman) or ECDHE (Elliptic Curve Ephemeral Diffie-Hellman). Most modern systems such as Java 7 and later support these modes.
**Topics**
+ [Network isolation](network-isolation.md)
+ [Isolation on physical hosts](physical-isolation.md)
+ [Credential Guard / Virtualization-Based Security (VBS)](credential-guard-vbs.md)
+ [Authorization of corporate users](authorization.md)
+ [Create and Stream from Interface VPC Endpoints](creating-streaming-vpc-endpoints.md)
+ [Make Amazon WorkSpaces API requests through a VPC interface endpoint](interface-vpc-endpoint.md)
+ [Create a VPC endpoint policy for Amazon WorkSpaces](api-private-link-policy.md)
+ [Connect your private network to your VPC](notebook-private-link-vpn.md)
# Network isolation
A virtual private cloud (VPC) is a virtual network in your own logically isolated area in the AWS Cloud. You can deploy your WorkSpaces in a private subnet in your VPC. For more information, see [Configure a VPC for WorkSpaces Personal](amazon-workspaces-vpc.md).
To allow traffic only from specific address ranges (for example, from your corporate network), update the security group for your VPC or use an [IP access control group](amazon-workspaces-ip-access-control-groups.md).
You can restrict WorkSpace access to trusted devices with valid certificates. For more information, see [Restrict access to trusted devices for WorkSpaces Personal](trusted-devices.md).
# Isolation on physical hosts
Different WorkSpaces on the same physical host are isolated from each other through the hypervisor. It is as though they are on separate physical hosts. When a WorkSpace is deleted, the memory allocated to it is scrubbed (set to zero) by the hypervisor before it is allocated to a new WorkSpace.
# Credential Guard / Virtualization-Based Security (VBS)
Windows WorkSpaces can utilize Credential Guard and Virtualization-Based Security (VBS) to provide hardware-based isolation and protect credentials within the operating system. You can disable Credential Guard or VBS through Group Policy settings.
**Important**
Disabling VBS reduces the security posture of your Windows WorkSpace. Only disable VBS if required for specific performance or compatibility needs.
**Security implications of disabling VBS**
+ **Reduced kernel-level protection** – The OS kernel becomes more vulnerable to malicious code.
+ **Increased risk of credential theft** – Attackers may more easily extract credentials from the lsass.exe process.
+ **Disabled code integrity checks** – Hypervisor-Enforced Code Integrity (HVCI) will not function, allowing unsigned drivers to run in kernel mode.
+ **Increased vulnerability to exploits** – The system becomes more susceptible to attacks that could result in full system compromise.
+ **Loss of advanced security features** – Features such as Windows Defender Credential Guard and System Guard cannot operate as intended.
# Authorization of corporate users
With WorkSpaces, directories are managed through the Directory Service. You can create a standalone, managed directory for users. Or you can integrate with your existing Active Directory environment so that your users can use their current credentials to obtain seamless access to corporate resources. For more information, see [Manage directories for WorkSpaces Personal](manage-workspaces-directory.md).
To further control access to your WorkSpaces, use multi-factor authentication. For more information, see [How to Enable Multi-Factor Authentication for AWS Services](https://aws.amazon.com/blogs/security/how-to-enable-multi-factor-authentication-for-amazon-workspaces-and-amazon-quicksight-by-using-microsoft-ad-and-on-premises-credentials/).
# Create and Stream from Interface VPC Endpoints
A virtual private cloud (VPC) is a virtual network in your own logically isolated area in the Amazon Web Services Cloud. If you use Amazon Virtual Private Cloud to host your AWS resources, you can establish a private connection between your VPC and WorkSpaces. You can use this connection to enable WorkSpaces to communicate with your resources on your VPC without going through the public internet.
Interface endpoints are powered by AWS PrivateLink, a technology that lets you keep streaming traffic within a VPC that you specify by using private IP addresses. When you use the VPC with an AWS Direct Connect or AWS Virtual Private Network tunnel, you can keep the streaming traffic within your network.
You can use a VPC endpoint in your AWS account to restrict all streaming traffic between your Amazon VPC and WorkSpaces to the AWS network. After you create the endpoint, configure your WorkSpaces directory to use it.
## Prerequisites and limitations
Before you set up VPC endpoints for WorkSpaces, be aware of the following prerequisites and limitations.
+ The feature currently supports IPv4 or IPv6 DNS record IP type. Dualstack DNS record IP type is not supported.
+ You can only configure VPC endpoints that are in the same AWS account as your directory. VPC endpoints in other AWS accounts are not supported, including endpoints in shared VPCs.
+ The feature is currently available for WorkSpaces Personal only. WorkSpaces Pools does not support VPC endpoints for streaming.
+ The VPC endpoint feature is available exclusively for WorkSpaces using Amazon DCV. When you configure a VPC endpoint for a directory, users cannot stream from Amazon DCV over the internet. However, you can enable internet streaming for PCoIP WorkSpaces in the same directory during VPC endpoint configuration.
+ To maintain streaming traffic within your VPC, use a streaming VPC endpoint. Your WorkSpaces clients require internet connectivity for user authentication. Enable outbound access on port 443 (both UDP and TCP) for authentication traffic. Additionally, you must add the required domains and IP addresses to your allow list based on your chosen authentication method. For a complete list of domains for each category, refer to [Domains and IP addresses to add to your allow list](https://docs.aws.amazon.com/workspaces/latest/adminguide/workspaces-port-requirements.html#whitelisted_ports).
+ CAPTCHA
+ Directory Settings
+ Pre-session Smart Card Authentication Endpoints, if you are using Smart Card
+ User Login Pages
+ WS Broker
+ WorkSpaces Endpoints for SAML Single Sign-On (SSO)
+ The network that your users' devices are connected must be able to route traffic to the VPC endpoint.
+ You must have an IAM permissions policy for the IAM user or IAM role in your AWS account to perform the `ec2:DescribeVpcEndpoints` API action.
+ WorkSpaces streaming VPC endpoints currently do not support FIPS encryption. If you already enabled FIPS encryption for a directory, you need to disable FIPS encryption before configuring a VPC endpoint.
+ AWS Global Accelerator (AGA) integration is not available when streaming through a VPC endpoint.
+ When a VPC endpoint is configured for a directory, IP access control groups specified for the directory no longer apply.
## Setting up VPC endpoint for WorkSpaces streaming
To set up a VPC endpoint for WorkSpaces streaming, complete the following steps:
### Step 1: Create the security group
In this step, you create a security group that lets WorkSpaces clients communicate with VPC endpoint you'll be creating.
1. In the navigation pane of the Amazon EC2 console, go to **Network & Security**, then **Security Groups**.
1. Select **Create security group**.
1. Under **Basic details**, enter the following:
+ For **Security group name** – Enter a unique name that identifies the security group.
+ For **Description** – Enter some text that describes the purpose of the security group.
+ For **VPC** – Choose the VPC that your VPC endpoint is in.
1. Go to **Inbound rules** and select **Add rule** to create inbound rules for TCP traffic.
1. Enter the following:
+ For **Type** – Choose Custom TCP.
+ For **Port range** – Enter the following port numbers: `443`, `4195`.
+ For **Source type** – Choose Custom.
+ For **Source** – Enter the private IP CIDR range or other Security Group IDs from which your users connect to the VPC endpoint. Make sure to allow inbound traffic from an IPv4 or IPv6 address source.
1. Repeat steps 4 and 5 for each CIDR range or Security Group.
1. Go to **Inbound rules**, select **Add rule** to create inbound rules for UDP traffic.
1. Enter the following:
+ For **Type** – Choose **Custom UDP**.
+ For **Port range** – Enter the following port numbers: 443, 4195.
+ For **Source type** – Choose **Custom**.
+ For **Source** – Enter the same private IP CIDR range or Security Group IDs entered in Step 5. Make sure to allow inbound traffic from an IPv4 or IPv6 address source.
1. Repeat steps 7 and 8 for each CIDR range or Security Group.
1. Select **Create security group**.
### Step 2: Create the VPC endpoint
In Amazon VPC, a VPC endpoint lets you connect your VPC to supported AWS services. In this example, you configure Amazon VPC so that your WorkSpaces users can stream from WorkSpaces.
1. Open the [Amazon VPC console](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, go to **Endpoints**, then **Create Endpoint**.
1. Select **Create Endpoint**.
1. Ensure the following:
+ **Service category** – Make sure that **AWS services** is selected.
+ **Service Name** – Choose **com.amazonaws.*Region*.highlander**.
+ **VPC** – Choose a VPC in which to create the interface endpoint. You can choose a different VPC than the VPC with WorkSpaces resources as long as the network routes traffic to the VPC endpoint.
+ **Enable Private DNS Name** – The check box is selected. It is recommended to keep it selected even when using the public DNS name for backward compatibility. If your users use a network proxy to access streaming instances, disable any proxy caching on the domain and DNS names that are associated with the private endpoint. The VPC endpoint DNS name should be allowed through the proxy. For successful DNS name resolution, it is essential to use the private DNS servers within the VPC, this is because public DNS servers will not resolve the VPC endpoint DNS name.
+ **DNS record IP type** – Choose IPv4 or IPv6. Dualstack DNS record IP type is currently not supported. If you choose Dualstack, you won’t be able to stream from WorkSpaces using the VPC endpoint.
+ **Subnets** – Choose the subnets (Availability Zones) to create the VPC endpoint. It is recommended that you choose at least two subnets.
+ **IP address type** – Choose IPv4, IPv6 or Dualstack depending on what the Subnets you chose support.
+ **Security groups panel** – Select the security group you created earlier.
1. (Optional) In the **Tags** panel, you can create one or more tags.
1. Select **Create endpoint**.
When the endpoint is ready to use, the value in the **Status** column changes to **Available**.
### Step 3: Configure WorkSpaces directory to use the VPC endpoint
You need to configure the WorkSpaces directory to use the VPC endpoint that you created for streaming.
1. Open the [WorkSpaces console](https://console.aws.amazon.com/workspaces/v2/home) in the same AWS Region as the VPC endpoint.
1. In the **Navigation** pane, select **Directories**, and then .
1. Select the directory that you want to use.
1. Go to the **VPC Endpoints** section, then **Edit**.
1. In the **Edit VPC Endpoint** dialog box, under **Streaming Endpoint**, select the VPC endpoint you created. Note that only 1 VPC endpoint can be selected for each directory.
1. Optionally, you can enable **Allow users with PCoIP WorkSpaces to stream from the internet**.
**Note**
When enabled, your users are able to stream from their PCoIP WorkSpaces through public internet. Otherwise, the PCoIP WorkSpaces in the directory will become unreachable since PCoIP WorkSpaces don’t support VPC endpoint for streaming.
1. Select **Save**.
Traffic for new streaming sessions will be routed through this VPC endpoint. However, traffic for current streaming sessions continues to be routed through the previously specified endpoint.
**Note**
Users with DCV WorkSpaces cannot stream using the public internet when a VPC endpoint is specified.
## Understanding VPC Endpoint DNS Names
After you create an interface VPC endpoint for WorkSpaces streaming, AWS automatically assigns two DNS names to the endpoint that WorkSpaces clients can use to connect:
**Unique publicly resolvable DNS name**
A globally unique, publicly resolvable DNS name in the format:
```
vpce--.prod.highlander..vpce.amazonaws.com
```
This DNS name is unique per VPC endpoint. While it is publicly resolvable (anyone can query it), it returns private IP addresses from your VPC that are only accessible from within your VPC or connected networks (via VPN or AWS Direct Connect).
**Generic private DNS name**
A shared private DNS name in the format:
```
privatelink.prod..highlander.aws.a2z.com
```
This DNS name is shared across all VPC endpoints in the same region and resolves only within your VPC where the VPC endpoint is, using the Private DNS resolver in that VPC. This DNS name is maintained for backward compatibility with existing deployments.
WorkSpaces clients automatically use the unique publicly resolvable DNS name by default, with automatic fallback to the generic DNS name if needed. No action is required for existing customers.
To find the unique publicly resolvable DNS name for your VPC endpoint:
1. Open the [Amazon VPC console](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, choose Endpoints.
1. Select your WorkSpaces interface VPC endpoint (service name: com.amazonaws.*Region*.highlander).
1. In the Details tab, find the DNS names section.
1. The unique publicly resolvable DNS name is listed as the Regional DNS name.
## Network Requirements
Ensure your firewall or proxy allows access to:
```
*.prod.highlander..vpce.amazonaws.com
privatelink.prod..highlander.aws.a2z.com
```
Replace `` with your AWS Region (for example, `us-east-1`, `eu-west-1`).
The same port requirements for DCV streaming apply.
If you use a proxy for WorkSpaces client connections, the VPC endpoint DNS name must be allowed through the proxy. For successful DNS name resolution, use the private DNS servers within your VPC; public DNS servers will resolve the DNS name but the returned private IP addresses will not be accessible from outside your VPC.
# Make Amazon WorkSpaces API requests through a VPC interface endpoint
You can connect directly to Amazon WorkSpaces API endpoints through an [interface endpoint](https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpce-interface.html) in your virtual private cloud (VPC) instead of connecting over the internet. When you use a VPC interface endpoint, communication between your VPC and the Amazon WorkSpaces API endpoint is conducted entirely and securely within the AWS network.
**Note**
This feature can be used only for connecting to WorkSpaces API endpoints. To connect to WorkSpaces using the WorkSpaces clients, internet connectivity is required, as described in [IP address and port requirements for WorkSpaces Personal](workspaces-port-requirements.md).
The Amazon WorkSpaces API endpoints support [Amazon Virtual Private Cloud](https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Introduction.html) (Amazon VPC) interface endpoints that are powered by [AWS PrivateLink](https://aws.amazon.com/privatelink/). Each VPC endpoint is represented by one or more [network interfaces](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html) (also known as elastic network interfaces, or ENIs) with private IP addresses in your VPC subnets.
The VPC interface endpoint connects your VPC directly to the Amazon WorkSpaces API endpoint without an internet gateway, NAT device, VPN connection, or Direct Connect connection. The instances in your VPC don't need public IP addresses to communicate with the Amazon WorkSpaces API endpoint.
You can create an interface endpoint to connect to Amazon WorkSpaces with either the AWS Management Console or AWS Command Line Interface (AWS CLI) commands. For instructions, see [Creating an Interface Endpoint](https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpce-interface.html#create-interface-endpoint).
*After you have created a VPC endpoint*, you can use the following example CLI commands that use the `endpoint-url` parameter to specify interface endpoints to the Amazon WorkSpaces API endpoint:
```
aws workspaces copy-workspace-image --endpoint-url VPC_Endpoint_ID.workspaces.Region.vpce.amazonaws.com
aws workspaces delete-workspace-image --endpoint-url VPC_Endpoint_ID.api.workspaces.Region.vpce.amazonaws.com
aws workspaces describe-workspace-bundles --endpoint-url VPC_Endpoint_ID.workspaces.Region.vpce.amazonaws.com \
--endpoint-name Endpoint_Name \
--body "Endpoint_Body" \
--content-type "Content_Type" \
Output_File
```
If you enable private DNS hostnames for your VPC endpoint, you don't need to specify the endpoint URL. The Amazon WorkSpaces API DNS hostname that the CLI and Amazon WorkSpaces SDK use by default (https://api.workspaces.*Region*.amazonaws.com) resolves to your VPC endpoint.
The Amazon WorkSpaces API endpoint supports VPC endpoints in all AWS Regions where both [Amazon VPC](https://docs.aws.amazon.com/general/latest/gr/rande.html#vpc_region) and [Amazon WorkSpaces](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services) are available. Amazon WorkSpaces supports making calls to all of its [public APIs](https://docs.aws.amazon.com/workspaces/latest/api/welcome.html) inside your VPC.
To learn more about AWS PrivateLink, see the [AWS PrivateLink documentation](https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Introduction.html#what-is-privatelink). For the price of VPC endpoints, see [VPC Pricing](https://aws.amazon.com/vpc/pricing/). To learn more about VPC and endpoints, see [Amazon VPC](https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html).
To see a list of Amazon WorkSpaces API endpoints by Region, see [WorkSpaces API Endpoints](workspaces-port-requirements.md#workspaces_api_endpoints).
# Create a VPC endpoint policy for Amazon WorkSpaces
You can create a policy for Amazon VPC endpoints for Amazon WorkSpaces to specify the following:
+ The principal that can perform actions.
+ The actions that can be performed.
+ The resources on which actions can be performed.
For more information, see [Controlling Access to Services with VPC Endpoints](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-access.html) in the *Amazon VPC User Guide*.
**Note**
VPC endpoint policies aren't supported for Federal Information Processing Standard (FIPS) Amazon WorkSpaces endpoints.
The following example VPC endpoint policy specifies that all users who have access to the VPC interface endpoint are allowed to invoke the Amazon WorkSpaces hosted endpoint named `ws-f9abcdefg`.
```
{
"Statement": [
{
"Action": "workspaces:*",
"Effect": "Allow",
"Resource": "arn:aws:workspaces:us-west-2:1234567891011:workspace/ws-f9abcdefg",
"Principal": "*"
}
]
}
```
In this example, the following actions are denied:
+ Invoking Amazon WorkSpaces hosted endpoints other than `ws-f9abcdefg`.
+ Performing an action on any resource besides the one specified (WorkSpace ID: `ws-f9abcdefg`).
**Note**
In this example, users can still take other Amazon WorkSpaces API actions from outside the VPC. To restrict API calls to those from within the VPC, see [Identity and access management for WorkSpaces](workspaces-access-control.md) for information about using identity-based policies to control access to Amazon WorkSpaces API endpoints.
# Connect your private network to your VPC
To call the Amazon WorkSpaces API through your VPC, you have to connect from an instance that is inside the VPC, or connect your private network to your VPC by using AWS Virtual Private Network (Site-to-Site VPN) or Direct Connect. For information, see [VPN Connections](https://docs.aws.amazon.com/vpc/latest/userguide/vpn-connections.html) in the *Amazon Virtual Private Cloud User Guide*. For information about AWS Direct Connect, see [Creating a Connection](https://docs.aws.amazon.com/directconnect/latest/UserGuide/create-connection.html) in the *Direct Connect User Guide*.
# Update management in WorkSpaces
We recommend that you regularly patch, update, and secure the operating system and applications on your WorkSpaces. You can configure your WorkSpaces to be updated by WorkSpaces during a regular maintenance window or you can update them yourself. For more information, see [Maintenance in WorkSpaces Personal](workspace-maintenance.md).
For applications on your WorkSpaces, you can use any automatic update services provided or follow the recommendations for installing updates provided by the application vendor.