• Next steps (p. 20)
Prerequisites
Before you begin, make sure that you've completed all of the necessary prerequisites. For more information, see Setting up Amazon WorkSpaces Web (p. 4).
Step 1: Create a web portal
Follow these steps to create a web portal.
If you already completed these steps in Set up your SAML 2.0 identity provider (p. 13), you can skip this section and go to Step 2: Test the endpoint (p. 19).
1. Open the WorkSpaces Web console at https://console.aws.amazon.com/workspaces-web/home?
region=us-east-1#/.
2. Choose WorkSpaces Web, Web portals, and then choose Create web portal.
3. On the Step 1: Specify networking connection page, complete the following steps to connect your VPC to your web portal, and configure your VPC and subnets.
NoteYou can choose to skip this step for now and complete it after you create a web portal, in step 13 below.
1. For Networking details, choose a VPC.
Step 1: Create a web portal
2. Choose at lease two private subnets that meet all requirements. For more information, see Set up your network (p. 6).
3. Choose a security group.
4. On the Step 2: Configure web portal settings page, complete the following steps to customize your users' browsing experience when they start a session, and then choose Next:
NoteWorkSpaces Web applies additional browser policies to isolate users to the browser interface sessions, on behalf of the customer. For more information, see Review browser policies (p. 12).
1. Under Web portal details, for Display name, enter an identifiable name for your web portal.
2. Under Policy settings, enter the following details:
• For Policy options, choose Visual editor or JSON file upload to choose how to provide the policy configuration details for your web portal. WorkSpaces Web includes support for Chrome enterprise policies, and you can add and manage policies using either a visual editor, or a manual upload for policy files. You can switch between either option at any time.
When you upload a policy file, you will see the available policies in the file. However, not all policies can be edited in the visual editor. You might need to manually edit the JSON data to make changes to a policy.
• For Startup URL - optional, you can enter a domain to use as the homepage when users launch their browser. Your VPC must have a stable connection to this URL.
• For Browser bookmarks - optional, you can enter the Display name, Domain, and Folder for any bookmarks you want your users to see in their browser, and choose Add bookmark.
NoteDomain is a required field for browser bookmarks.
5. On the Step 3: Select user settings page, complete the following steps to choose which features your users can access from the top navigation bar during their session, and then choose Next:
1. For Clipboard, choose Disabled or Enabled.
2. Under File transfer, choose Disabled or Enabled.
3. For Print to local device, choose Allowed or Not allowed.
6. On the Step 4: Configure identity provider page of the creation wizard, choose Download metadata file to download the service provider (SP) metadata document that you will upload to your identity provider (IdP) in the next step. You must upload the service provider metadata file to your IdP. Otherwise, your users won't be able to log in.
NoteWorkSpaces Web supports service provider initiated (SP-initiated) sign-in flows with your SAML 2.0-compliant IdP. WorkSpaces Web does not yet support identity provider initiated (IdP-initiated) sign-in flows.
7. Open another tab in your browser, and complete the following steps for your IdP:
1. Upload the SP metadata document that you downloaded in the previous step to your IdP. You must either upload the file to your IdP, or copy and paste the metadata values (for providers like Okta). The details of this configuration process vary between providers. Check your provider's documentation for detailed help on adding the details provided by WorkSpaces Web to your configuration.
2. Grant access to your users in your IdP to use WorkSpaces Web.
3. Download a metadata exchange file from your IdP. You will upload this metadata to WorkSpaces Web in the next step.
8. Return to the WorkSpaces Web console, and on the Configure identity provider page of the
Step 2: Test the endpoint
metadata file from IdP that you downloaded in the previous step. WorkSpaces Web requires this metadata from your IdP to establish trust. When you are done, choose Next.
NoteWorkSpaces Web requires the subject or NameID to be mapped and set in the SAML assertion within your IdP's settings. Your IdP can create these mappings automatically.
If these mappings are not configured correctly, a user who attemps to sign in to the web portal might be unable to start a session.
9. On the Step 5: Review and launch page, review the settings you've selected for your web portal.
You can choose Edit to make any changes, or you can change these settings later on from the Web portals tab of the console.
10. When you're done, choose Launch web portal.
11. To view the status of your web portal, choose Web portals, choose your portal, and choose View details.
A web portal can have one of the following statuses:
• Incomplete - The web portal's configuration is missing required identity provider settings.
• Pending - The web portal is applying changes to its settings.
• Active - The web portal is ready and available for use.
12. Wait up to 15 minutes for your portal to become Active.
13. If you skipped step 3 above, follow these steps to configure your subnets:
1. Choose Web portals, choose your portal, and then choose Edit.
2. In Networking details, choose a VPC with VPC endpoints.
3. Choose at lease two private subnets with all three VPC endpoints that you created previously.
Make sure they are in different AZs.
4. Choose Save, and wait up to 15 minutes for the changes to take effect.
Step 2: Test the endpoint
After you create a web portal, you can sign into the WorkSpaces Web endpoint to browse your connected websites as an end user would.
If you already completed these steps in Set up your SAML 2.0 identity provider (p. 13), you can skip this section and go to Step 3: Distribute the endpoint (p. 20).
1. Open the WorkSpaces Web console at https://console.aws.amazon.com/workspaces-web/home?
region=us-east-1#/.
2. Choose WorkSpaces Web, Web portals, choose your web portal, and then choose View details 3. Under Web portal endpoint, go to the specified URL for your portal. The web portal endpoint is the
access point your users will launch your web portal from after signing in with the identity provider configured for the portal. It's publicly available on the internet and can be embedded into your network.
4. On the WorkSpaces Web sign-in page, choose Sign in, SAML, and enter your SAML credentials.
5. When you see the Your session is being prepared page, your WorkSpaces Web session is launching.
Do not close or exit this page.
6. The web browser launches, displaying your startup URL and any other additional behavior configured through your browser policy settings.
7. You can now browse to connected websites by choosing links or enter URLs into the address bar.
Step 3: Distribute the endpoint
Step 3: Distribute the endpoint
When you are ready for your users to begin using WorkSpaces Web to access their streaming browser, you choose from the following options to distribute the endpoint to them:
• Email the endpoint URL to your users.
• Use a URL that you own, by choosing one of the following options:
• Use your IdP to register an arbitrary link (in this case, the web portal endpoint) as something that will show up as an application for users who log into their IdP directly.
• Add the endpoint to a website that you own, and use a browser redirect to direct users to the web portal.
Next steps
After you create your first web portal, you can view details, edit details, or delete the web portal at any time. For more information, see Managing your web portal (p. 21).
View web portal details
Managing your web portal
After you set up your web portal, you can view or edit its details, as well as delete the portal if it is no longer needed.
Topics
• View web portal details (p. 21)
• Edit a web portal (p. 21)
• Delete a web portal (p. 21)
View web portal details
To view web portal details
1. Open the WorkSpaces Web console at https://console.aws.amazon.com/workspaces-web/home?
region=us-east-1#/.
2. Choose WorkSpaces Web, Web portals, choose your web portal, and then choose View details.
Edit a web portal
To edit a web portal
1. Open the WorkSpaces Web console at https://console.aws.amazon.com/workspaces-web/home?
region=us-east-1#/.
2. Choose WorkSpaces Web, Web portals, choose your web portal, and then choose Edit.
Note
If you make changes to a user's settings while the user is actively using a session, your changes will take effect the next time the user starts a new session.
Delete a web portal
To delete a web portal
1. Open the WorkSpaces Web console at https://console.aws.amazon.com/workspaces-web/home?
region=us-east-1#/.
2. Choose WorkSpaces Web, Web portals, choose your web portal, and then choose Delete.
Requesting a service quota increase
When you create your AWS account, we automatically set default service quotas (also referred to as limits) for resource usage with AWS Services. WorkSpaces Web sets quotas on two types of resources -web portals (per region) and maximum concurrent sessions (per -web portal). WorkSpaces Web currently has the following service quotas limits:
Default quotas per AWS region per account Value
Web portals 1
Maximum concurrent sessions 25
A web portal is the foundational resource for the WorkSpaces Web service. It is an association between your SAML 2.0 identity provider, and your networking connection to the internet and your content.
You can create a web portal in any region where WorkSpaces Web is available. See the region table for current availability.
The maximum concurrent sessions is the highest amount of users that will be connected at the same time to a given web portal. If the service quota limit for maximum concurrent sessions is not set appropriately, users may find that their session is not available when they sign into WorkSpaces Web. You should also ensure that your VPC and subnets have sufficient IP space to support the maximum concurrent sessions, or users might be unable to connect to a session.
For example, a customer has two web portals in US East (Northern Virginia) and 125 users. The first web portal (portal A) will be used by 25 users, and does not require a service quota increase. The second web portal (portal B) will be used by 100 users. These users are spread across two shifts, and their working hours do not overlap. Therefore, the customer would need to request a service quota increase for Portal B to a maximum concurrent session of 50 users.
You can request an increase for either one of these service quota limits. For more information, see Requesting a quota increase.
To request a service quota increase 1. Open the AWS Support dashboard.
2. Choose Service Limit Increase.
Important
WorkSpaces Web service quotas affect one Region at a time. You must request service quota increases in each AWS Region where you need more resources. For more information, see AWS service endpoints.
3. Under Use case description, enter the following information:
• If you are requesting an increase for the number of web portals, specify this resource type, and include your AWS Account ID, the region where you would like the increase, and the new limit value.
• If you are requesting an increase for maximum concurrent sessions, specify this resource type, and include your AWS Account ID, the region where you would like the increase, the web portal ARN, and the new limit value.
4. (Optional) To request multiple service quota increases at the same time, complete one quota increase request in the Requests section, and then choose Add another request.
Data protection
Security in Amazon WorkSpaces Web
Cloud security at AWS is the highest priority. As an AWS customer, you benefit from a data center and network architecture that is built to meet the requirements of the most security-sensitive organizations.
Security is a shared responsibility between AWS and you. The shared responsibility model describes this as security of the cloud and security in the cloud:
• Security of the cloud – AWS is responsible for protecting the infrastructure that runs AWS services in the AWS Cloud. AWS also provides you with services that you can use securely. Third-party auditors regularly test and verify the effectiveness of our security as part of the AWS Compliance Programs.
To learn about the compliance programs that apply to Amazon WorkSpaces Web, see AWS Services in Scope by Compliance Program.
• Security in the cloud – Your responsibility is determined by the AWS service that you use. You are also responsible for other factors, including the sensitivity of your data, your company’s requirements, and any applicable laws and regulations that apply to your data.
This documentation helps you understand how to apply the shared responsibility model when using Amazon WorkSpaces Web. It shows you how to configure Amazon WorkSpaces Web to meet your security and compliance objectives. You also learn how to use other AWS services that help you to monitor and secure your Amazon WorkSpaces Web resources.
Contents
• Data protection in Amazon WorkSpaces Web (p. 23)
• Identity and Access Management for Amazon WorkSpaces Web (p. 25)
• Incident response in Amazon WorkSpaces Web (p. 43)
• Compliance validation for Amazon WorkSpaces Web (p. 43)
• Resilience in Amazon WorkSpaces Web (p. 44)
• Infrastructure security in Amazon WorkSpaces Web (p. 44)
• Configuration and vulnerability analysis in Amazon WorkSpaces Web (p. 44)
• Security best practices for Amazon WorkSpaces Web (p. 45)
Data protection in Amazon WorkSpaces Web
The AWS shared responsibility model applies to data protection in Amazon WorkSpaces Web. As described in this model, AWS is responsible for protecting the global infrastructure that runs all of the AWS Cloud. You are responsible for maintaining control over your content that is hosted on this infrastructure. This content includes the security configuration and management tasks for the AWS services that you use. For more information about data privacy, see the Data Privacy FAQ. For information about data protection in Europe, see the AWS Shared Responsibility Model and GDPR blog post on the AWS Security Blog.
For data protection purposes, we recommend that you protect AWS account credentials and set up individual user accounts with AWS Identity and Access Management (IAM). That way each user is given only the permissions necessary to fulfill their job duties. We also recommend that you secure your data in the following ways:
• Use multi-factor authentication (MFA) with each account.
• Use SSL/TLS to communicate with AWS resources. We recommend TLS 1.2 or later.
Data encryption
• Set up API and user activity logging with AWS CloudTrail.
• Use AWS encryption solutions, along with all default security controls within AWS services.
• Use advanced managed security services such as Amazon Macie, which assists in discovering and securing personal data that is stored in Amazon S3.
• If you require FIPS 140-2 validated cryptographic modules when accessing AWS through a command line interface or an API, use a FIPS endpoint. For more information about the available FIPS endpoints, see Federal Information Processing Standard (FIPS) 140-2.
We strongly recommend that you never put confidential or sensitive information, such as your customers' email addresses, into tags or free-form fields such as a Name field. This includes when you work with WorkSpaces Web or other AWS services using the console, API, AWS CLI, or AWS SDKs. Any data that you enter into tags or free-form fields used for names may be used for billing or diagnostic logs. If you provide a URL to an external server, we strongly recommend that you do not include credentials information in the URL to validate your request to that server.
Data encryption
Amazon WorkSpaces Web collects portal customization data, such as browser settings, user settings, network settings, identity provider information, trust store data, and trust store certificate data.
WorkSpaces Web also collects browser policy data, user preferences (for browser settings), and session logs. Collected data is stored in Amazon DynamoDB and Amazon S3. WorkSpaces Web uses AWS Key Management Service for encryption.
To secure your content, follow these guidelines:
• Implement least privilege access and create specific roles to be used for WorkSpaces Web actions. Use IAM templates to create a Full Access role or Read Only role. For more information, see AWS managed policies for WorkSpaces Web (p. 36).
• Protect data end to end by providing a customer managed key, so WorkSpaces Web can encrypt your data at rest with the keys you supply.
• Be careful with sharing portal domains and user credentials:
• Admins are required to log into the Amazon WorkSpaces console, and users are required to log into the WorkSpaces Web portal.
• Anyone on the internet can access the web portal, but they can't start a session unless they have valid user credentials to the portal.
• Users can explicitly end their sessions by choosing End Session. This discards the instance hosting the browser session, and results in browser isolation.
WorkSpaces Web secures content and metadata by default by encrypting all sensitive data with AWS KMS. It collects browser policy and user preferences to enforce policy and settings during WorkSpaces Web sessions. If there is an error applying existing settings, a user can't access new sessions and can't access the company's internal sites and SaaS applications.
Encryption at rest
Encryption at rest is configured by default. Customer-specific data used in WorkSpaces Web is encrypted using AWS KMS. WorkSpaces Web provides encryption at rest for resources you create. The service accepts a AWS KMS Customer Managed Key on resource creation, and if one is not provided, an AWS Owned Key will be used to encrypt the resources at rest. The service encrypts the Browser Policy document you can provide to customize your browser sessions, as well as your identity provider configuration, and display names for your portals. This information will remain encrypted using either the Customer Managed Key, or the AWS Owned Key, while it is stored in our backend.
Inter-network traffic privacy
You can decide which key will be used when you create a WorkSpaces Web resource. If data that is part of that resource is encrypted, WorkSpaces Web accepts the customerManagedKeyArn field as part of the create API. The key provided must be a Symmetric AWS KMS key, and the administrator who creates the resource using this key must have kms:Decrypt, kms:GenerateDataKey, and kms:CreateGrant permissions. After a resource is created with the key, the key can't be removed or changed. If you used a Customer Managed Key, the administrator who accesses the resource must have kms:Decrypt and kms:GenerateDataKey permissions. If you see an error about access being denied while using the console, make sure that the user using the console has these permissions with the key that was used.
You can troubleshoot and audit key usage by checking the status of the AWS KMS grants. For more
You can troubleshoot and audit key usage by checking the status of the AWS KMS grants. For more