Q: Is Amazon WorkSpaces HIPAA eligible? A: Yes. If you have an executed Business Associate Agreement (BAA) with AWS, you can use Amazon WorkSpaces with the AWS accounts associated with your BAA. If you don’t have an executed BAA with AWS, contact us and we will put you in touch with a representative from our AWS sales team. For more information, see, HIPAA Compliance. Q: Is Amazon WorkSpaces PCI compliant? A: Yes. Amazon WorkSpaces is PCI compliant and conforms to the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is a proprietary information security standard administered by the PCI Security Standards Council, which was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. PCI DSS applies to all entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD) including merchants, processors, acquirers, issuers, and service providers. The PCI DSS is mandated by the card brands and administered by the Payment Card Industry Security Standards Council. For more information, see PCI DSS Compliance. Q: Which credentials should be used to sign in to Amazon WorkSpaces? A: Users sign into their WorkSpace using their own unique credentials, which they can create after a WorkSpace has been provisioned for them. If you have integrated the Amazon WorkSpaces service with an existing Active Directory domain, users will sign in with their regular Active Directory credentials. Amazon WorkSpaces also integrates with your existing RADIUS server to enable multi-factor authentication (MFA). Q: Can I control the client devices that access my Amazon WorkSpaces? A: Yes. You can restrict access to Amazon WorkSpaces based on the client OS type, and using digital certificates. You can choose to block or allow macOS, Microsoft Windows, Linux, iPadOS, Android, Chrome OS, zero client, and the WorkSpaces web access client. Q: What is a digital certificate? A: A digital certificate is a digital form of identity that is valid for a specified period of time, which is used as a credential that provides information about the identity of an entity, as well as other supporting information. A digital certificate is issued by a certificate authority (CA), and the CA guarantees the validity of the information in the certificate. Q: What devices use digital certificates to control access to Amazon WorkSpaces? A: Digital certificates can be used to block or allow WorkSpaces access from macOS and Microsoft Windows client devices. Q: How do I use digital certificates to control access to Amazon WorkSpaces? A: To use digital certificates to block or allow access to Amazon WorkSpaces, you upload your root certificates to the WorkSpaces management console and distribute your client certificates to the macOS, Windows, Android, and Android-compatible Chrome OS devices you want to trust. To distribute your client certificates, use your preferred solution such as Microsoft System Center Configuration Manager (SCCM), or Mobile-Device Management (MDM) software. For more information, see Restrict WorkSpaces Access to Trusted Devices. Q: How many root certificates can be imported to an Amazon WorkSpaces directory? A: For each Amazon WorkSpaces directory, you can import up to two root certificates each for macOS and Microsoft Windows devices. If two root certificates are imported, WorkSpaces will present both root certificates to the client device, and the client device will use the first certificate that chains up to either root certificate. Q: Can I control client device access to Amazon WorkSpaces without using digital certificates? A: Yes. You can control access to Amazon WorkSpaces using the device type only. Q: Can I use digital certificates to control Amazon WorkSpaces access from iPadOS, or zero clients? A: At this time Amazon WorkSpaces can use digital certificates only with macOS and Microsoft Windows, Android, and Android compatible Chrome OS devices. Q: What is Multi-Factor Authentication (MFA)? A: Multi-Factor Authentication adds an additional layer of security during the authentication process. Users must validate their identity by providing something they know (e.g. password), as well as something they have (e.g. hardware or software generated one-time password (OTP). Q: What delivery methods are supported for MFA? A: Amazon supports one time passwords that are delivered via hardware and software tokens. Out of band tokens, such as SMS tokens are not currently supported. Q: Is there support for Google Authenticator and other virtual MFA solutions? A: Google Authenticator can be used in conjunction with RADIUS. If you are running a Linux-based RADIUS server, you can configure your RADIUS fleet to use Google Authenticator through a PAM (Pluggable Authentication Module) library. Q: Which Amazon WorkSpaces client applications support Multi-Factor Authentication (MFA)? A: MFA is available for Amazon WorkSpaces client applications on the following platforms - Windows, Mac, Linux, Chromebooks, iOS, Fire, Android, and PCoIP Zero Clients. MFA is also supported when using web access to access Amazon WorkSpaces. Q: What happens if a user forgets the password to access their Amazon WorkSpace? A: If either AD Connector or AWS Microsoft AD is used to integrate with an existing Active Directory domain, the user would follow your existing lost password process for your domain, such as contacting an internal helpdesk. If the user is using credentials stored in a directory managed by the WorkSpaces service, they can reset their password by clicking on the “Forgot Password” link in the Amazon WorkSpaces client application. Q: How will Amazon WorkSpaces be protected from malware and viruses? A: You can install your choice of anti-virus software on your users’ WorkSpaces. The Plus bundle options offer users access to anti-virus software, and you can find more details on this here. If you choose to install your own anti-virus software, please ensure that it does not block UDP port 4172 for PCoIP and UDP port 4195 for WSP, as this will prevent users connecting to their WorkSpaces. Q: How do I remove a user’s access to their Amazon WorkSpace? A: To remove a user’s access to their WorkSpace, you can disable their account either in the directory managed by the WorkSpaces service, or in an existing Active Directory that you have integrated the WorkSpaces service with. Q: Does WorkSpaces work with AWS Identity and Access Management (IAM)? A: Yes. Please see our documentation. Q: Can I select the Organizational Unit (OU) where computer accounts for my WorkSpaces will be created in my Active Directory? A: Yes. You can set a default Organizational Unit (OU) in which computer accounts for your WorkSpaces are created in your Active Directory. This OU can be part of the domain to which your users belong, or part of a domain that has a trust relationship with the domain to which your users belong, or part of a child domain in your directory. Please see our documentation for more details. Q: Can I use Amazon VPC Security groups to limit access to resources (applications, databases) in my network or on the Internet from my WorkSpaces? A: Yes. You can use Amazon VPC Security groups to limit access to resources in your network or the Internet from your WorkSpaces. You can select a default Amazon VPC Security Group for the WorkSpaces network interfaces in your VPC as part of the directory details on the WorkSpaces console. Please see our documentation for more details. Q: What is an IP Access Control Group? A: An IP Access Control Group is a feature that lets you specify trusted IP addresses that are permitted to access your WorkSpaces. An Access Control group is made up of a set of rules, each rule specifies a specific permitted IP address or range of addresses. you can create up to 25 IP Access Control groups with up to 10 rules per group specifying the IP addresses or IP ranges accessible to your Amazon WorkSpaces. Q: Can I implement IP address-based access controls for WorkSpaces? A: Yes. With this feature you can create up to 25 IP Access Control groups with up to 10 rules per group specifying the IP addresses or IP ranges accessible to your Amazon WorkSpaces. Q: How can I implement IP address-based access controls? A: See IP Access Control Groups for details. Q: Can IP address-based access controls be used with all WorkSpaces clients? A: Yes. This feature can be used with the macOS, iPad, Windows desktop, Android tablet, and web access. This feature also supports zero clients using MFA. Q: Which Zero Client configurations are compatible with the IP Based Access Controls feature? A: Zero Clients using MFA can be used with IP Based Access Controls, along with any compatible Zero Clients which do not use PCoIP Connection Manager to connect to WorkSpaces. Any connections through PCoIP Connection Manager will not be able to access WorkSpaces if IP Based Access Controls are enabled. Q: Are there any scenarios where a non-whitelisted IP address could access a WorkSpace? A: Yes. If web access is enabled, when accessing WorkSpaces through the web access client, if the IP address changes from a whitelisted IP to a non-whitelisted IP address after the user’s credentials are validated and before the WorkSpace session begins to launch, the non-whitelisted IP address would be allowed. The initial connection would require a whitelisted IP address. Q: How are IP addresses whitelisted if users are accessing the WorkSpaces through a Network address translation (NAT)? A: You will need to allow your public IPs with this feature, so if you have a NAT, you will need to allow access from the IPs coming from it. In this case you will be allowing access any time a user accesses WorkSpaces through a NAT. Q: How should IP addresses be whitelisted for VPNs? A: If you want to allow access from VPNs, you will need to add the public IPs of the VPN. In this case you will be allowing access any time a user accesses WorkSpaces through the VPN with public IPs whitelisted. Q: Can I customize the login workflow for my end users' login experience? A: WorkSpaces supports the use of the URI (uniform resource identifier) WorkSpaces:// to open the WorkSpaces client and optionally enter the registration code, user name, and/or multi-factor authentication (MFA) code (if MFA is used by your organization). Q: How do I enable URI? A: You can create your unique URI links by following the WorkSpaces URI formatting documented in Customize How Users Log in to their WorkSpaces in the Amazon WorkSpaces Administration Guide. By providing these links to users, you enable them to use the URI on any device that has the WorkSpaces client installed. URI links can contain human-readable sensitive information if you choose to include the registration code, user name, and/or MFA information, so take precautions with how and whom you share URI information. |
