How to control access to the AWS WorkSpaces Client from outside the company network environment
Problem I was having
Currently I was able to log in to AWS WorkSpaces from outside the company network environment using the AWS WorkSpaces Client. Please tell me how to control general access to the AWS WorkSpaces Client as a security measure.
Answer
There are two methods to control access to the WorkSpaces client.
①IP access control groups
With this method, it is possible to control connections to WorkSpaces by IP address.
For details, please refer to the AWS official documentation.
[Create an IP Access Control Group - Amazon WorkSpaces] - (https://docs.aws.amazon.com/ja_jp/workspaces/latest/adminguide/amazon-workspaces-ip-access-control-groups.html#create-ip-access-control-group)
②Access control options
This method allows you to validate client terminals connecting to WorkSpaces using client certificates.
Since this does not impose restrictions based on IP addresses, please implement the settings as needed.
[Restrict WorkSpaces Access to Trusted Devices - Amazon WorkSpaces] - (https://docs.aws.amazon.com/ja_jp/workspaces/latest/adminguide/trusted-devices.html)
Does the WorkSpaces Client application proxy setting serve as an access control?
The WorkSpaces client application proxy settings consist of three options:
- [Do not use proxy server]
- [Customize proxy server for WorkSpaces]
- [Use device operating system settings]
Regarding this selection, as it is a setting for the proxy used by the client application, it is not directly related to access control.
Also, using a proxy server may lead to increased network latency and decreased streaming quality, so the use of proxies is not recommended.
Reference materials
[1] [Recommendations for using proxy servers - Amazon WorkSpaces] - https://docs.aws.amazon.com/ja_jp/workspaces/latest/adminguide/group_policy.html#gp_kerberos_ticket
[2] [New Feature: IP-based access control has been added to WorkSpaces!] - https://dev.classmethod.jp/articles/workspaces-ip-base-access-control/
