# Data Protection in Amazon WorkSpaces Applications
The AWS [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) applies to data protection in Amazon WorkSpaces Applications. As described in this model, AWS is responsible for protecting the global infrastructure that runs all of the AWS Cloud. You are responsible for maintaining control over your content that is hosted on this infrastructure. This content includes the security configuration and management tasks for the AWS services that you use. For more information about data privacy, see the [Data Privacy FAQ](https://aws.amazon.com/compliance/data-privacy-faq). For information about data protection in Europe, see the [AWS Shared Responsibility Model and GDPR](https://aws.amazon.com/blogs/security/the-aws-shared-responsibility-model-and-gdpr/) blog post on the *AWS Security Blog*.
For data protection purposes, we recommend that you protect AWS account credentials and set up individual users with AWS Identity and Access Management (IAM). That way each user is given only the permissions necessary to fulfill their job duties. We also recommend that you secure your data in the following ways:
+ Use multi-factor authentication (MFA) with each account.
+ Use SSL/TLS to communicate with AWS resources. We recommend TLS 1.2.
+ Set up API and user activity logging with AWS CloudTrail.
+ Use AWS encryption solutions, along with all default security controls within AWS services.
+ Use advanced managed security services such as Amazon Macie, which assists in discovering and securing personal data that is stored in Amazon S3.
+ If you require FIPS 140-2 validated cryptographic modules when accessing AWS through a command line interface or an API, use a FIPS endpoint. For more information about the available FIPS endpoints, see [Federal Information Processing Standard (FIPS) 140-2](https://aws.amazon.com/compliance/fips/).
We strongly recommend that you never put confidential or sensitive information, such as your customers' email addresses, into tags or free-form fields such as a **Name** field. This includes when you work with WorkSpaces Applications or other AWS services using the console, API, AWS CLI, or AWS SDKs. Any data that you enter into tags or free-form fields used for names may be used for billing or diagnostic logs. If you provide a URL to an external server, we strongly recommend that you do not include credentials information in the URL to validate your request to that server.
**Topics**
+ [
# Encryption at Rest
](encryption-rest.md)
+ [
# Encryption in Transit
](encryption-transit.md)
+ [
# Administrator Controls
](administrator-controls.md)
+ [
# Application Access
](application-access.md)
# Encryption at Rest
WorkSpaces Applications fleet instances are ephemeral in nature. After a user's streaming session is finished, the underlying instance and its associated Amazon Elastic Block Store (Amazon EBS) volume are terminated. In addition, WorkSpaces Applications periodically recycles unused instances for freshness.
When you enable [application settings persistence](how-it-works-app-settings-persistence.md), [home folders](home-folders-admin.md), [session scripts](enable-S3-bucket-storage-session-script-logs.md), or [usage reports](enable-usage-reports.md) your users, the data that is generated by your users and stored in Amazon Simple Storage Service buckets is encrypted at rest. AWS Key Management Service is a service that combines secure, highly available hardware and software to provide a key management system scaled for the cloud. Amazon S3 uses [AWS Managed CMKs](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk) to encrypt your Amazon S3 object data.
# Encryption in Transit
The following table provides information about how data is encrypted in transit. Where applicable, other data protection methods for WorkSpaces Applications are also listed.
| Data | Network path | How protected |
| --- | --- | --- |
| Web assets This traffic includes assets such as images and JavaScript files. | Between WorkSpaces Applications users and WorkSpaces Applications | Encrypted using TLS 1.2 |
| Pixel and related streaming traffic | Between WorkSpaces Applications users and WorkSpaces Applications | Encrypted using 256-bit Advanced Encryption Standard (AES-256) Transported using TLS 1.2 |
| API traffic | Between WorkSpaces Applications users and WorkSpaces Applications | Encrypted using TLS 1.2 Requests to create a connection are signed using SigV4 |
| Application settings and home folder data generated by users Applicable when application settings persistence and home folders are enabled. | Between WorkSpaces Applications users and Amazon S3 | Encrypted using Amazon S3 SSL endpoints |
| WorkSpaces Applications-managed traffic | Between WorkSpaces Applications streaming instances and: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/appstream2/latest/developerguide/encryption-transit.html) | Encrypted using TLS 1.2 Requests to create a connection are signed using SigV4 where applicable |
# Administrator Controls
WorkSpaces Applications provides administrative controls that you can use to limit the ways in which users can transfer data between their local computer and an WorkSpaces Applications fleet instance. You can limit or disable the following when you [create or update an WorkSpaces Applications stack](set-up-stacks-fleets-install.md):
+ Clipboard/copy and paste actions
+ File upload and download, including folder and drive redirection
+ Printing
When you create an WorkSpaces Applications image, you can specify which USB devices are available to redirect to WorkSpaces Applications fleet instances from the WorkSpaces Applications client for Windows. The USB devices that you specify will be available for use during users’ WorkSpaces Applications streaming sessions. For more information, see [Qualify USB Devices for Use with Streaming Applications](qualify-usb-devices.md).
# Application Access
By default, WorkSpaces Applications enables the applications that you specify in your image to launch other applications and executable files on the image builder and fleet instance. This ensures that applications with dependencies on other applications (for example, an application that launches the browser to navigate to a product website) function as expected. Make sure that you configure your administrative controls, security groups, and other security software to grant users the minimum permissions required to access resources and transfer data between their local computers and fleet instances.
You can use application control software, such as [Microsoft AppLocker](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview), and policies to control which applications and files your users can run. Application control software and policies help you control the executable files, scripts, Windows installer files, dynamic-link libraries, and application packages that your users can run on WorkSpaces Applications image builders and fleet instances.
**Note**
The WorkSpaces Applications agent software relies on the Windows command prompt and Windows Powershell to provision streaming instances. If you choose to prevent users from launching the Windows command prompt or Windows Powershell, the policies must not apply to the Windows NT AUTHORITY\$1SYSTEM or users in the Administrators group.
| Rule type | Action | Windows user or group | Name/Path | Condition | Description |
| --- | --- | --- | --- | --- | --- |
| Executable | Allow | NT AUTHORITY\$1System | \$1 | Path | Required for the WorkSpaces Applications agent software |
| Executable | Allow | BUILTIN\$1Administrators | \$1 | Path | Required for the WorkSpaces Applications agent software |
| Executable | Allow | Everyone | %PROGRAMFILES%\$1nodejs\$1\$1 | Path | Required for the WorkSpaces Applications agent software |
| Executable | Allow | Everyone | %PROGRAMFILES%\$1NICE\$1\$1 | Path | Required for the WorkSpaces Applications agent software |
| Executable | Allow | Everyone | %PROGRAMFILES%\$1Amazon\$1\$1 | Path | Required for the WorkSpaces Applications agent software |
| Executable | Allow | Everyone | %PROGRAMFILES%\$1\$1\$1 | Path | Required for the WorkSpaces Applications agent software when persistent storage solutions, such as Google Drive or Microsoft OneDrive for Business, are used. This exception is not required when WorkSpaces Applications home folders are used. |