Amazon AppStream and Amazon WorkSpaces were one of the greatest technologies used by organizations to enable their employees to work remotely through the Covid-19 pandemic. Recently and after the pandemic, organizations started to understand the real benefit of using Desktop-as-a-Service and Application Streaming services on the cloud such as agility, being fully managed, reliability, and security. Speaking of security, most clients usually have strict security regulation requirements that must be met and are mandatory for compliance reasons. In today's blog, I will walk you through some best practices to help you secure your Amazon AppStream and Amazon WorkSpaces.
So, what are some of the security tools that AWS provides to you by default?
- Network Security Groups that act as a virtual firewall to control the traffic for one or more WorkSpace instances.
- Network ACLs work as a Second Line of Defense.
- CloudWatch Events to monitor access
- Volume Encryption through AWS KMS integration.
- Captcha Prompt to limit incorrect login attempts.
However, some regulations require more and this is where we are going to discuss other topics that explain different ways to secure your Amazon AppStream and Amazon WorkSpaces environments.
Restricting Access by IP Address
Although API endpoints for Amazon AppStream and Amazon WorkSpaces just like many other AWS services (Amazon RDS, Amazon S3, Amazon Lambda) are public and can be accessible from the internet, you can still limit access to these services by IP Address using the following methods:
- Amazon WorkSpaces:
Limit access to the workspaces using the IP Access Control List functionality. This feature comes out of the box by Amazon WorkSpaces and is straightforward to use from the console directly.
- Amazon AppStream:
Limit access to AppStream using SAML-based authentication (AD FS, Azure AD, OKTA, etc.) This feature requires configuring the source IP-based filter policy using an inline policy on the SAML 2.0 federation IAM role.
Another option would be using AWS PrivateLink endpoints and connecting to your AppStream Fleet through AWS VPN.
Enabling Multi-Factor Authentication
Unfortunately, MFA is still not an "out of the box" option for those two services however I will list down some workarounds that can enable you to use multi-factor authentication.
- Amazon WorkSpaces:
In WorkSpaces, the only way to enable MFA is through a Radius server integrated either with an on-premises AD or an AWS Managed AD. This approach will allow you to use authentication apps like Google Authenticator to first authenticate the username and password against your Active Directory and the Radius Server will be responsible to authenticate the One-Time Password (OTP) generated by Google Authenticator. One of the open-source Radius software that can be used is FreeRadius.
- Amazon AppStream:
Enforcing MFA for Amazon AppStream can only be achieved through configuring SAML 2.0 federation with your corporate directory.
Network Protection
We have also seen cases where clients require network filtering on their WorkSpaces and AppStream Fleets due to compliance and regulatory reasons such as PCI DSS Requirement 11.4 which requires implementing intrusion detection and intrusion prevention systems. Others prefer to conduct domain name filtering to limit and block specific Fully qualified domain names (FQDNs) from being accessed within their VPC.
Previously, clients had to route their ingress and egress traffic through either their on-premises Firewalls or purchase a Firewall Appliance subscription from Amazon Marketplace to protect their network from Layer3 - Layer 7 attacks such as IP spoofing, viruses, worms, and trojans. Others relied on securing their network by only using Security Groups and Network Access Lists to block specific IP addresses and Ports. Luckily, AWS announced the general availability of the AWS Network Firewall back in November 2020 and it was a game changer for such scenarios. AWS Network Firewall is simply a fully managed service that can help clients protect their network security across their Amazon VPCs and can also act as an IDS/IPS for network flow inspection.
In this blog, we have discussed some of the many security solutions that can be applied on both Amazon WorkSpaces and Amazon AppStream 2.0 to provide your workforce and organization with robust application streaming and desktop-as-a-service environments. I hope this was informative for you and stay tuned for more interesting blogs.
Top comments (0)