WorkSpaces Web is a low-cost, fully managed Linux-based service that provides a secure browser-based platform for accessing internal and external websites and SaaS applications.
Represents the Google Chrome browser (web content ephemerally streams from the WorkSpaces network to the user’s local browser) centrally managed in your organization and deployed inside your SAML-integrated VPC to provide secure remote access to external resources or internal services without a VPN.
Not to be confused with Amazon WorkSpaces, which allows you to provide your users with Microsoft Windows, Amazon Linux, or Ubuntu Linux virtual cloud desktops.
Solution overview:
The backend uses the CloudFormation template to deploy a network interface with a private IP address only for availability whenever WorkSpaces Web is active. So, NAT Gateway is preemptively created to relay outbound traffic. The infrastructure can be simplified by unfolding WorkSpaces Web in a public subnet and manually attaching an external IP address having the correct routes to reach the Internet gateway. Still, you need to automate the association process because the network interface is re-created each time WorkSpaces Web becomes active from idle.
Creation process:
1. Networking.
Navigate to the WorkSpaces Web page and choose Web portals. It has a quantity limitation of 1 per region (adjustable) and is available now only in us-east-1, us-west-2, ap-south-1, ap-southeast-1, ap-northeast-1, ca-central-1, eu-central-1, us-west-1, eu-west-2.
VPC must meet the requirements (example in the diagram) – you must select at least two private subnets.
SecurityGroup should allow outbound connections.
2. Logging (OPTIONAL).
WorkSpaces Web offers two types of metrics – Cloudwatch and User Access Logs.
CloudWatch metrics provide the following usage information:
- SessionAttempt: the number of WorkSpaces Web session attempts.
- SessionSuccess: the number of successful WorkSpaces Web session starts.
- SessionFailure: the number of failed WorkSpaces Web session starts.
Access logging which is delivered via kinesis streams record the following events:
- Session start – Marks the beginning of the WSW session.
- Session end – Marks the end of the WSW session.
- URL navigation – Logs the URL that the user loaded.
Each event includes the time, username, and web portal ARN.
Enabling access session logs:
- Create an S3 bucket to save logs
- Create a Kinesis Data Stream with the name amazon-workspaces-web-“
- Create a delivery stream Kinesis Data Firehose to S3 using a previously created bucket
- Choose the created Kinesis Data Stream to receive data from WorkSpaces Web.
As a result, you will have your session logged in the format:
{“timestamp”:”1693915483195″,”eventType”:”VisitPage”,”details”:{“title”:”AWS Management Console”,”url”:”https://us-east-1.console.aws.amazon.com/console/home?region=us-east-1#”},”portalArn”:”arn:aws:workspaces-web:us-east-1:example:portal/02a3d027-6697-47ad-9a65-1063cf205774″,”userName”:”user@emailexample.com”}
3. Site access, security restrictions and user experience.
- For security purposes, access to the WorkSpacesWeb can be restricted by creating an IP Access Control Group.
Access Control Group.
- URL access to links in the WorkSpace Web itself is limited through policies:
– URLs can be allowed/blocked or mixed (JSON format can be uploaded)
– Have all URLs blocked except allowlist or allow all except particular
– Allow/deny Incognito mode and browsing history deletion
The example JSON to allow just AWS main page and console.
{
“chromePolicies”: {
“ManagedBookmarks”: {
“value”: [
{
“name”: “aws”,
“url”: “https://console.aws.amazon.com”
}
]
},
“BookmarkBarEnabled”: {
“value”: true
},
“RestoreOnStartup”: {
“value”: 4
},
“RestoreOnStartupURLs”: {
“value”: [
“https://aws.amazon.com”
]
},
“URLBlocklist”: {
“value”: [
“*”
]
},
“URLAllowlist”: {
“value”: [
“console.aws.amazon.com”,
“amazonaws.com”,
“awsapps.com”,
“aws.amazon.com”,
“console.amazonaws-us-gov.com”,
“console.aws.amazon.com”,
“signin.aws.amazon.com”,
“signin.aws”,
“chrome://downloads”,
“chrome://bookmarks”
]
},
“AllowDeletingBrowserHistory”: {
“value”: false
},
“IncognitoModeAvailability”: {
“value”: 1
}
}
}
To manage and improve the user experience, you can set:
- Browser bookmarks, extensions
- Set up copy/paste for a remote session or copy only to a local device
- Limit session duration and idle timeout
4.User authorization and authentication by configuring identity provider.
In our example, we are using the IAM Identity Center, but WorkSpaces Web supports user authentication and federated login using any SAML 2.0 compliant identity providers such as OneLogin, Okta, Ping Identity, and more.
Clicking the Continue with IAM Identity Center button will take you to the Applications page of the IAM Identity Center, where you will need to create or/add an existing user/group to the WorkSpace application. Once created, a process is editable, so you can choose a non-custom option and add it in the future, but the charges will apply.
5. Pricing.
6. Usage of Amazon WorkSpaces Web.
NOTE: The portal is re-created each time it is edited, so it is unavailable until the “Active” state.
Upon reaching the link, you must be signed in as a user from your identity provider.
UI panel can be minimized and, drag and dropped:
Browser can be customized by user:
- Window (create/close) a new separate window in WorkSpaces Web.
- Manage files download/upload from/to local.
- Clipboard shows copy/paste feature.
- By Dual monitor by Amazon AppStream, you can enhance the user experience by having a fully screened separate monitor for WorkSpaces Web.
- The full screen makes the current browser full-sized.
- Microphone control: Users may connect a local device microphone input to the remote Chrome browser during a session.
- Preference (size, resolution).
- Notifications.
- The profile holds session information based on bandwidth usage and frame rate feedback form.
Managing files between local and WorkSpace Web is easy, but files are transferred within the session, so the files folder is empty every time WorkSpace Web creates an environment:
Accessing AWS Management Console and viewing files in the WorkSpace Web Browser:
Internal resources inside VPC can be reached if allowed:
Accessing resources that are not allowed – result blocked:
Conclusion:
Amazon WorkSpaces Web provides a low-cost solution for secure browsing. It can be used to access internal resources without a VPN connection (helpdesk, etc.) or offer high security for remote workers within an organization.
It can appeal to large enterprises and startups since the price depends on the users granted access.
