Amazon WorkSpaces¶

Traditional desktop problem:
  Buy laptop → IT provisions OS → install apps → ship to user → patch monthly
  User leaves → reclaim hardware → wipe → reimage → store
  Remote work → VPN → slow → security risk → hardware needed

WorkSpaces model:
  User opens client on any device (Windows, Mac, iPad, web browser, Thin Client)
  → Connects to their personal cloud desktop running in AWS
  → All data stays in AWS (never on local device) → secure
  → IT manages bundles centrally → deploy to 1 or 10,000 users identically
  → User terminated → disable WorkSpace → done (no hardware retrieval)

Amazon WorkSpaces Family includes multiple products:
  WorkSpaces Personal    → persistent, dedicated desktops (one user per desktop)
  WorkSpaces Pools       → non-persistent, shared desktops (any user from pool)
  WorkSpaces Thin Client → physical lightweight device for accessing WorkSpaces
  WorkSpaces Web         → browser-based access to internal web apps (DEPRECATED → March 31, 2027) [docs.aws.amazon](https://docs.aws.amazon.com/workspaces-thin-client/latest/ag/configuring-WorkSpaces-web.html)
  AppStream 2.0          → stream individual applications (not full desktop)

Architecture:
  VPC → subnet (private) → WorkSpace instance (EC2 + EBS)
  User → WorkSpaces Client (any device) → streaming protocol (DCV or PCoIP)
  → Sees their personal desktop with all their files/apps

Key characteristics:
  Persistent:    user data, apps, settings survive reboots and sessions
  Dedicated:     one WorkSpace = one user (not shared)
  Always available: desktop ready when user connects
  Managed:       AWS handles hypervisor, hardware, OS patching (if enabled)

Windows:
  Windows 11 (included Microsoft RDS SAL: $4.19/month/user)
  Windows 10 (included RDS SAL)
  Windows Server 2019/2022 (bring your own license variant available)

Linux:
  Amazon Linux 2023    ← free, no license cost
  Ubuntu 22.04 LTS     ← free
  Red Hat Enterprise Linux (RHEL) 8
  Rocky Linux 8

BYOL (Bring Your Own License):
  You supply Windows licenses → AWS hosts → lower cost but more admin

Architecture:
  Pool of identical WorkSpace instances → user connects → gets one →
  Session ends → instance wiped → returned to pool for next user

Key characteristics:
  Non-persistent:  session data wiped on logout (no user volume)
  Shared:          multiple users share the same pool of instances
  Scales automatically: pool grows/shrinks based on demand
  Cost-efficient:  pay per session-hour (not per user per month)

User data persistence options:
  Amazon S3 or FSx for Windows: mount as home directory via Group Policy
  → User files in S3/FSx → available every session → desktop still wiped

Use case:
  Task workers: call center agents, retail staff, shift workers
  Contractors: short-term workers who shouldn't retain data
  Kiosk/lab environments: shared stations
  BYOD corporate: employees using personal devices → no corporate data on device

Standard Pool (2 vCPU, 4 GB RAM, 200 GB root):
  $0.10/hour (active session)
  $0.025/hour (stopped instance, AutoStop mode)
  + $4.19/month/user (Windows RDS SAL)

Graphics Pool (GPU-backed):
  Graphics.g4dn (16 vCPU, 64 GB RAM, 1 GPU): $2.73/hour + $4.19/month/user

No user volume: data goes to S3/FSx

Flat monthly fee per WorkSpace
Instance running 24/7 — always ready, instant login
Best for: users working 160+ hours/month (full-time employees)

Break-even:
  Standard bundle: $33/month vs AutoStop $9.75 + $0.28/hr
  Break-even: ($33 - $9.75) / $0.28 = ~83 hours/month
  → If user works > 83 hrs/month: AlwaysOn is cheaper

Monthly base fee (infrastructure/storage) + hourly rate when connected
Instance stops N minutes after user disconnects (configurable)
Best for: part-time users, shift workers, occasional use

AutoStop idle timeout:
  Default: 1 hour after disconnect → instance stops
  Configurable: 0–24 hours
  Drawback: 1–2 min startup time when stopped instance resumes (EBS snapshot resume)

Break-even (Standard): ~83 hours/month
  < 83 hrs/month → AutoStop cheaper
  > 83 hrs/month → AlwaysOn cheaper [venn](https://www.venn.com/learn/aws-workspace/aws-workspaces-pricing/)

Developed by AWS (acquired from NICE Software)
Default protocol for new WorkSpaces

Features:
  Higher loss/latency tolerance → better for remote users, poor networks [docs.aws.amazon](https://docs.aws.amazon.com/workspaces/latest/adminguide/amazon-workspaces-networking.html)
  Smart card authentication (CAC/PIV cards) → government/enterprise use
  Webcam support in-session [docs.aws.amazon](https://docs.aws.amazon.com/workspaces/latest/adminguide/amazon-workspaces-networking.html)
  SAML 2.0 integration
  Certificate-based authentication
  Web browser access (no client install needed) [docs.aws.amazon](https://docs.aws.amazon.com/workspaces/latest/userguide/amazon-workspaces-web-access.html)
  USB redirection
  Better GPU/graphics workload performance

Use DCV when:
  Users on high-latency/lossy networks (global teams, home internet)
  Smart card auth required
  Webcam needed in session
  SAML SSO integration needed
  Web Access required [docs.aws.amazon](https://docs.aws.amazon.com/workspaces/latest/userguide/amazon-workspaces-web-access.html)

Developed by Teradici (owned by HP)
Older protocol — still supported but DCV preferred

Features:
  Excellent image quality on good networks
  Mature protocol with broad client support
  No Web Access support ← major limitation [docs.aws.amazon](https://docs.aws.amazon.com/workspaces/latest/userguide/amazon-workspaces-web-access.html)
  No smart card support

Limitations vs DCV:
  No web browser access
  Worse performance on high-latency networks
  No webcam support
  No SAML — only AD authentication

Use PCoIP when:
  Legacy deployments already using PCoIP
  Specific PCoIP thin client hardware in place
  No web access needed

Migration: [docs.aws.amazon](https://docs.aws.amazon.com/workspaces/latest/userguide/amazon-workspaces-web-access.html)
  "For continued Web Access usage, we recommend evaluating migration to DCV"
  → Move all new deployments to DCV

Install native client → connect to WorkSpace
Available for: Windows, macOS, Ubuntu Linux, iOS, Android, ChromeOS
Features: full protocol support (DCV + PCoIP), local device integration

Download: clients.amazonworkspaces.com

Open browser → workspaces.aws → log in → full desktop in browser tab
No client install required
Requires: DCV protocol (not available for PCoIP) [docs.aws.amazon](https://docs.aws.amazon.com/workspaces/latest/userguide/amazon-workspaces-web-access.html)
Best for: BYOD, kiosk access, Chromebooks
Limitation: some features reduced vs native client (USB, printing)

Purpose-built lightweight physical device for accessing WorkSpaces:
  Small device (~$200) → plug into monitor + keyboard + mouse
  Boots into WorkSpaces streaming session directly
  No general-purpose OS → no local data storage → highly secure
  IT-managed via AWS console (zero-touch deployment)

End of support: March 31, 2027 → AWS ending WorkSpaces Thin Client [docs.aws.amazon](https://docs.aws.amazon.com/workspaces-thin-client/latest/ag/configuring-WorkSpaces-web.html)
  → Migrate to web access or native client before that date
  → WorkSpaces Secure Browser portal as alternative for web-based needs [docs.aws.amazon](https://docs.aws.amazon.com/workspaces-thin-client/latest/ag/configuring-WorkSpaces-web.html)

Configure: [docs.aws.amazon](https://docs.aws.amazon.com/workspaces/latest/adminguide/access-control-awstc.html)
  Directory level: enable WorkSpaces Thin Client Access
  Group Policy + Security Policy settings required for login to work
  Specific port requirements for streaming

Three directory options:

1. AWS Managed Microsoft AD (recommended for enterprises):
   Full Microsoft AD in AWS → join WorkSpaces to domain
   Group Policy, LDAP, Kerberos, MFA support
   Can trust on-premises AD → hybrid identity
   Cost: ~$0.12–$0.31/hr per directory (NOT included in WorkSpaces pricing)
   Use: enterprises with complex AD requirements

2. Simple AD:
   Samba 4-based, Kerberos-compatible
   Subset of Microsoft AD features
   Cost: INCLUDED in WorkSpaces pricing (free) [aws.amazon](https://aws.amazon.com/workspaces/desktop-as-a-service/pricing/)
   Limitations: no Group Policy fine-tuning, no trust relationships
   Use: small deployments, simple authentication

3. AD Connector:
   Proxy to your on-premises AD
   WorkSpaces authenticates against your existing corporate AD
   Cost: INCLUDED in WorkSpaces pricing (free) [aws.amazon](https://aws.amazon.com/workspaces/desktop-as-a-service/pricing/)
   No user data stored in AWS
   Use: organizations with existing on-premises AD that want WorkSpaces

WorkSpaces instances run in a VPC:
  Private subnet(s) — WorkSpaces never have public IPs by default
  Security Groups control network access within VPC

WorkSpaces Streaming (client → desktop):
  Port 443 (HTTPS): registration and authentication
  Port 4172 (TCP + UDP): DCV/PCoIP streaming traffic
  Port 4195 (UDP): DCV streaming (recommended, optimized)
  → These ports must be open outbound from user's network to AWS

On-premises connectivity:
  VPN or Direct Connect → WorkSpaces in private subnet can access
  on-premises resources (file servers, printers, internal apps)
  AD Connector: proxy authentication to on-premises AD over VPN/DX

Internet access for WorkSpaces:
  Add NAT Gateway to VPC → route WorkSpaces traffic through NAT
  Or: WorkSpaces Internet Access (AWS-managed NAT, included in bundle pricing)
  For CloudFront + internet access: assign public IP per WorkSpace (costs extra now)

Encryption:
  Root volume: encrypted with AWS KMS (optional, enable at creation)
  User volume: encrypted with AWS KMS (optional, enable at creation)
  In-transit: all streaming traffic encrypted (TLS 1.2+)
  Cannot change encryption after WorkSpace created → enable at setup

IP Access Control:
  IP access control group: allowlist of CIDRs that can connect
  Applied at directory level → all WorkSpaces in directory inherit
  Use: restrict WorkSpaces access to corporate IP ranges only

MFA:
  Supported via RADIUS or AD FS integration
  Configure on directory → all WorkSpaces require MFA at login
  Supported for: Smart cards (DCV only), RADIUS, SAML

Device access control:
  Client access certificates: only trusted devices can connect
  Works with: WorkSpaces Application Manager + MDM solutions

Data protection:
  Clipboard: enable/disable copy-paste between local device and WorkSpace
  Printing: enable/disable local printer access
  USB: enable/disable USB redirection
  → Zero-trust controls prevent data exfiltration

WorkSpaces Personal (Windows Standard, us-east-1):
  AlwaysOn:  $33.00/month flat + $4.19 RDS SAL = ~$37.19/month total
  AutoStop:  $9.75/month + $0.28/hour connected + $4.19 RDS SAL

WorkSpaces Pools (Windows Standard, us-east-1):
  $0.10/hour active + $0.025/hour stopped (AutoStop)
  + $4.19/month per user who accessed in that month

Linux bundles: NO RDS SAL fee → subtract $4.19/month/user from above

Free Tier: [aws.amazon](https://aws.amazon.com/workspaces/desktop-as-a-service/pricing/)
  Personal: 2 Standard RHEL/Rocky/Ubuntu/Windows/Amazon Linux bundles,
            80 GB root + 50 GB user, hourly mode,
            up to 40 combined hours/month for 3 months
  Pools:    2 Standard Windows bundles, 200 GB root,
            up to 40 combined hours/month for 3 months
  Additional: 5 Performance Ubuntu AutoStop WorkSpaces,
              80 GB root + 100 GB user, 100 hours/month

Cost optimization tips:
  Use Linux bundles where possible (no $4.19/month RDS SAL)
  AutoStop for part-time users, AlwaysOn for full-time (break-even ~83 hrs)
  Right-size bundles: start Standard → upgrade if performance needed
  Use Pools for task workers (hourly vs fixed monthly)
  Delete unused WorkSpaces immediately (still billed if provisioned but unused)