# Infrastructure Security in Amazon WorkSpaces Applications
<a name="infrastructure-security"></a>

As a managed service, Amazon WorkSpaces Applications is protected by AWS global network security. For information about AWS security services and how AWS protects infrastructure, see [AWS Cloud Security](https://aws.amazon.com/security/). To design your AWS environment using the best practices for infrastructure security, see [Infrastructure Protection](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/infrastructure-protection.html) in *Security Pillar AWS Well‐Architected Framework*.

You use AWS published API calls to access WorkSpaces Applications through the network. Clients must support the following:
+ Transport Layer Security (TLS). We require TLS 1.2 and recommend TLS 1.3.
+ Cipher suites with perfect forward secrecy (PFS) such as DHE (Ephemeral Diffie-Hellman) or ECDHE (Elliptic Curve Ephemeral Diffie-Hellman). Most modern systems such as Java 7 and later support these modes.

The following topics provide additional information about WorkSpaces Applications infrastructure security.

**Topics**
+ [

# Network Isolation
](network-isolation.md)
+ [

# Isolation on Physical Hosts
](physical-isolation.md)
+ [

# Controlling Network Traffic
](control-network-traffic.md)
+ [

# WorkSpaces Applications Interface VPC Endpoints
](interface-vpc-endpoints.md)
+ [

# Protecting Data in Transit with FIPS Endpoints
](protecting-data-in-transit-FIPS-endpoints.md)

# Network Isolation
<a name="network-isolation"></a>

A virtual private cloud (VPC) is a virtual network in your own logically isolated area in the Amazon Web Services Cloud. Use separate VPCs to isolate infrastructure by workload or organizational entity.

A subnet is a range of IP addresses in a VPC. When you launch an instance, you launch it into a subnet in your VPC. Use subnets to isolate the tiers of your application (for example, web, application, and database) within a single VPC. Use private subnets for your instances if they should not be accessed directly from the internet.

You can stream from WorkSpaces Applications streaming instances in your VPC without going through the public internet. To do so, use an interface VPC endpoint (interface endpoint). For more information, see [Tutorial: Creating and Streaming from Interface VPC Endpoints](creating-streaming-from-interface-vpc-endpoints.md).

You can also call WorkSpaces Applications API operations from your VPC without sending traffic over the public internet by using an interface endpoint. For information, see [Access WorkSpaces Applications API Operations and CLI Commands Through an Interface VPC Endpoint](access-api-cli-through-interface-vpc-endpoint.md).

# Isolation on Physical Hosts
<a name="physical-isolation"></a>

Different streaming instances on the same physical host are isolated from each other as though they are on separate physical hosts. The hypervisor isolates CPU and memory, and the instances are provided virtualized disks instead of access to the raw disk devices.

When you stop or terminate a streaming instance, the memory allocated to it is scrubbed (meaning, it's set to zero) by the hypervisor before it is allocated to a new instance, and every block of storage is reset. This ensures that your data is not exposed to another instance. 

# Controlling Network Traffic
<a name="control-network-traffic"></a>

To help control network traffic to your WorkSpaces Applications streaming instances, consider these options:
+ When you launch an Amazon AppStream streaming instance, you launch it into a subnet in your VPC. You can deploy streaming instances in a private subnet if they should not be accessible from the internet.
+ To provide internet access to your streaming instances in a private subnet, use a NAT gateway. For more information, see [Configure a VPC with Private Subnets and a NAT Gateway](managing-network-internet-NAT-gateway.md).
+ Security groups that belong to your VPC let you control the network traffic between WorkSpaces Applications streaming instances and VPC resources such as license servers, file servers, and database servers. Security groups also isolate traffic between your streaming instances and WorkSpaces Applications management services. 

  Use security groups to restrict access to your streaming instances. For example, you can allow traffic only from the address ranges for your corporate network. For more information, see [Security Groups in Amazon WorkSpaces Applications](managing-network-security-groups.md). 
+ You can stream from WorkSpaces Applications streaming instances in your VPC without going through the public internet. To do so, use an interface VPC endpoint (interface endpoint). For more information, see [Tutorial: Creating and Streaming from Interface VPC Endpoints](creating-streaming-from-interface-vpc-endpoints.md).

  You can also call WorkSpaces Applications API operations from your VPC without sending traffic over the public internet by using an interface endpoint. For more information, see [Access WorkSpaces Applications API Operations and CLI Commands Through an Interface VPC Endpoint](access-api-cli-through-interface-vpc-endpoint.md).
+ Use IAM roles and policies to manage administrator access to WorkSpaces Applications, Application Auto Scaling, and Amazon S3 buckets. For more information, see the following topics:
  + [Using AWS Managed Policies and Linked Roles to Manage Administrator Access to WorkSpaces Applications Resources](controlling-administrator-access-with-policies-roles.md)
  + [Using IAM Policies to Manage Administrator Access to Application Auto Scaling](autoscaling-iam-policy.md)
  + [Restricting Administrator Access to the Amazon S3 Bucket for Home Folders and Application Settings Persistence](s3-iam-policy-restricted-access.md)
+ You can use SAML 2.0 to federate authentication to WorkSpaces Applications. For more information, see [Amazon WorkSpaces Applications Service Quotas](limits.md).
**Note**  
For smaller WorkSpaces Applications deployments, you can use WorkSpaces Applications user pools. By default, user pools support a maximum of 50 users. For more information about WorkSpaces Applications quotas (also referred to as limits), see [Amazon WorkSpaces Applications Service Quotas](limits.md). For deployments that must support 100 or more WorkSpaces Applications users, we recommend using SAML 2.0.

# WorkSpaces Applications Interface VPC Endpoints
<a name="interface-vpc-endpoints"></a>

A virtual private cloud (VPC) is a virtual network in your own logically isolated area in the Amazon Web Services Cloud. If you use Amazon Virtual Private Cloud to host your AWS resources, you can establish a private connection between your VPC and WorkSpaces Applications. You can use this connection to enable WorkSpaces Applications to communicate with your resources on your VPC without going through the public internet.

Interface endpoints are powered by AWS PrivateLink, a technology that lets you keep streaming traffic within a VPC that you specify by using private IP addresses. When you use the VPC with an Direct Connect or AWS Virtual Private Network tunnel, you can keep the streaming traffic within your network. 

The following topics provide information about WorkSpaces Applications interface endpoints.

**Topics**
+ [

# Tutorial: Creating and Streaming from Interface VPC Endpoints
](creating-streaming-from-interface-vpc-endpoints.md)
+ [

# Access WorkSpaces Applications API Operations and CLI Commands Through an Interface VPC Endpoint
](access-api-cli-through-interface-vpc-endpoint.md)

# Tutorial: Creating and Streaming from Interface VPC Endpoints
<a name="creating-streaming-from-interface-vpc-endpoints"></a>

You can use an interface VPC endpoint in your Amazon Web Services account to restrict all network traffic between your Amazon VPC and WorkSpaces Applications to the Amazon network. After you create this endpoint, you configure your WorkSpaces Applications stack or image builder to use it. 

**Prerequisites**

Before you set up interface VPC endpoints for WorkSpaces Applications, be aware of the following prerequisites:
+ Internet connectivity is required to authenticate users and deliver the web assets that WorkSpaces Applications requires to function. The streaming interface endpoint maintains the streaming traffic within your VPC. Streaming traffic includes pixel, USB, user input, audio, clipboard, file upload and download, and printer traffic. To allow this traffic, you must allow the domains listed in [Allowed Domains](allowed-domains.md). After creating the VPC endpoint, you must allow the WorkSpaces Applications user authentication domains. However, for the streaming gateways, you can restrict access to just <vpc-endpoint-id>.streaming.appstream.<aws-region>.vpce.amazonaws.com. Allow listing to \$1.amazonappstream.com is not required. The VPC endpoint fully qualified domain name replaces that dependency.
+ The network to which your users' devices are connected must be able to route traffic to the interface endpoint.
+ The security groups that are associated with the interface endpoint must allow inbound access to port 443 (TCP) and ports 1400-1499 (TCP) from the IP address range from which your users connect.
+ The network access control list for the subnets must allow outbound traffic from ephemeral network ports 1024-65535 (TCP) to the IP address range from which your users connect.
+ You must have an IAM permissions policy in your AWS account that provides permissions to perform the `ec2:DescribeVpcEndpoints` API action. By default, this permission is defined in the IAM policy that is attached to the AmazonAppStreamServiceAccess role. If you have the required permissions, this service role is automatically created by WorkSpaces Applications, with the required IAM policies attached, when you get started with the WorkSpaces Applications service in an AWS Region. For more information, see [Identity and Access Management for Amazon WorkSpaces Applications](controlling-access.md).

**To create an interface endpoint**

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, choose **Endpoints**, **Create Endpoint**.

1. Choose **Create Endpoint**.

1. For **Service category**, ensure that** AWS services** is selected. 

1. For **Service Name**, choose **com.amazonaws.***<AWS Region>***.appstream.streaming**.

1. Specify the following information. When you're done, choose **Create endpoint**. 
   + For **VPC**, choose a VPC in which to create the interface endpoint. You can choose a different VPC than the VPC with WorkSpaces Applications resources.
   + For **Subnets**, choose the subnets (Availability Zones) in which to create the endpoint network interfaces. We recommend that you choose subnets in at least two Availability Zones.
   + For **IP address type**, choose either IPV6 or IPV4.
   + Ensure that the **Enable Private DNS Name** check box is selected. 
**Note**  
If your users use a network proxy to access streaming instances, disable any proxy caching on the domain and DNS names that are associated with the private endpoint. The VPC endpoint DNS name should be allowed through the proxy.
   + For **Security group**, choose the security groups to associate with the endpoint network interfaces. 
**Note**  
The security groups must provide inbound access to the ports from the IP address range from which your users connect.

While your interface endpoint is being created, the status of the endpoint in the console appears as **Pending**. After your endpoint is created, the status changes to **Available.** 

 To update a stack to use the interface endpoint that you created for streaming sessions, perform the following steps.

**To update a stack to use a new interface endpoint**

1. Open the WorkSpaces Applications console at [https://console.aws.amazon.com/appstream2/home](https://console.aws.amazon.com/appstream2/home).

   Ensure that you open the console in the same AWS Region as the interface endpoint that you want to use.

1. In the navigation pane, choose **Stacks**, and then choose the stack that you want.

1. Choose the **VPC Endpoints** tab, and then choose **Edit**.

1. In the **Edit VPC Endpoint** dialog box, for **Streaming Endpoint**, choose the endpoint through which to stream traffic.

1. Choose **Update**.

Traffic for new streaming sessions will be routed through this endpoint. However, traffic for current streaming sessions continues to be routed through the previously specified endpoint.

**Note**  
Users cannot stream using the internet endpoint when an interface endpoint is specified.

# Access WorkSpaces Applications API Operations and CLI Commands Through an Interface VPC Endpoint
<a name="access-api-cli-through-interface-vpc-endpoint"></a>

If you use Amazon Virtual Private Cloud to host your AWS resources, you can connect directly to WorkSpaces Applications API operations or command line interface (CLI) commands through an [interface VPC endpoint](https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html) (interface endpoint) in your virtual private cloud (VPC) instead of connecting over the internet. Interface endpoints are powered by AWS PrivateLink, a technology that lets you keep streaming traffic within a VPC that you specify by using private IP addresses. When you use an interface endpoint, communication between your VPC and WorkSpaces Applications is conducted entirely and securely within the AWS network.

**Note**  
This topic describes how to access the WorkSpaces Applications API operations and CLI commands through an interface endpoint. For information about how to create and stream from WorkSpaces Applications interface endpoints, see [Tutorial: Creating and Streaming from Interface VPC Endpoints](creating-streaming-from-interface-vpc-endpoints.md).

**Prerequisites**

To use interface endpoints, you must meet the following prerequisites:
+ The security groups that are associated with the interface endpoint must allow inbound access to port 443 (TCP) from the IP address range from which your users connect.
+ The network access control list for the subnets must allow outbound traffic from ephemeral network ports 1024-65535 (TCP) to the IP address range from which your users connect.

**Topics**
+ [

# Create an Interface Endpoint to Access WorkSpaces Applications API Operations and CLI Commands
](access-api-cli-through-interface-vpc-endpoint-create-interface-endpoint.md)
+ [

# Use an Interface Endpoint to Access WorkSpaces Applications API Operations and CLI Commands
](how-to-access-api-cli-through-interface-vpc-endpoint.md)

# Create an Interface Endpoint to Access WorkSpaces Applications API Operations and CLI Commands
<a name="access-api-cli-through-interface-vpc-endpoint-create-interface-endpoint"></a>

Perform the following steps to create an interface endpoint.

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, choose **Endpoints**, **Create Endpoint**.

1. Choose **Create Endpoint**.

1. For **Service category**, ensure that** AWS services** is selected. 

1. For **Service Name**, choose **com.amazonaws.***<AWS Region>***.appstream.api**.

1. Specify the following information. When you're done, choose **Create endpoint**. 
   + For **VPC**, select a VPC in which to create the interface endpoint. 
   + For **Subnets**, select the subnets (Availability Zones) in which to create the endpoint network interfaces. We recommend that you choose subnets in at least two Availability Zones.
   + Optionally, you can select the **Enable Private DNS Name** check box.
**Note**  
If you select this option, ensure that you configure VPC and DNS as needed to support private DNS. For more information, see [Private DNS](https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html#vpce-private-dns) in the *Amazon VPC User Guide*.
   + For **Security group**, select the security groups to associate with the endpoint network interfaces. 
**Note**  
The security groups must provide inbound access to the ports from the IP address range from which your users connect.

While your interface endpoint is being created, the status of the endpoint in the console appears as **Pending**. After your endpoint is created, the status changes to **Available.**

# Use an Interface Endpoint to Access WorkSpaces Applications API Operations and CLI Commands
<a name="how-to-access-api-cli-through-interface-vpc-endpoint"></a>

After the status of the interface VPC endpoint that you create changes to **Available**, you can use the endpoint to access WorkSpaces Applications API operations and CLI commands. To do so, specify the `endpoint-url` parameter with the DNS name of the interface endpoint when you use these operations and commands. The DNS name is publicly resolvable, but it only successfully routes traffic in your VPC. 

The following example shows how to specify the DNS name of the interface endpoint when you use the **describe-fleets** CLI command:

```
aws appstream describe-fleets --endpoint-url <vpc-endpoint-id>.api.appstream.<aws-region>.vpce.amazonaws.com
```

The following example shows how to specify the DNS name of the interface endpoint when you instantiate the WorkSpaces Applications Boto3 Python client:

```
appstream2client = boto3.client('appstream',region_name='<aws-region>',endpoint_url='<vpc-endpoint-id>.api.appstream.<aws-region>.vpce.amazonaws.com'
```

Subsequent commands using the `appstream2client` object automatically use the interface endpoint that you specified.

If you enabled the private DNS host names on the interface endpoint, you don’t need to specify the endpoint URL. The WorkSpaces Applications API DNS host name that the API and CLI use by default resolves within your VPC. For more information about private DNS host names, see [Private DNS](https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html#vpce-private-dns) in the *Amazon VPC User Guide*.

# Protecting Data in Transit with FIPS Endpoints
<a name="protecting-data-in-transit-FIPS-endpoints"></a>

By default, when you communicate with the WorkSpaces Applications service, whether as an administrator using the WorkSpaces Applications console, the AWS Command Line Interface (AWS CLI), or an AWS SDK, or as a user streaming from an image builder or a fleet instance, all data in transit is encrypted using TLS 1.2.

If you require FIPS 140-2 validated cryptographic modules when accessing AWS through a command line interface or an API, use a FIPS endpoint. WorkSpaces Applications offers FIPS endpoints in all United States AWS Regions where WorkSpaces Applications is available. When you use a FIPS endpoint, all data in transit is encrypted using cryptographic standards that comply with Federal Information Processing Standard (FIPS) 140-2. For information about FIPS endpoints, including a list of WorkSpaces Applications endpoints, see [Federal Information Processing Standard (FIPS) 140-2](https://aws.amazon.com/compliance/fips).

**Topics**
+ [

# FIPS Endpoints for Administrative Use
](FIPS-for-administrative-use.md)
+ [

# FIPS Endpoints for User Streaming Sessions
](FIPS-for-user-streaming-sessions.md)
+ [

# Exceptions
](FIPS-exceptions.md)

# FIPS Endpoints for Administrative Use
<a name="FIPS-for-administrative-use"></a>

To specify a FIPS endpoint when you run an AWS CLI command for WorkSpaces Applications, use the `endpoint-url` parameter. The following example uses the WorkSpaces Applications FIPS endpoint in the US West (Oregon) Region to retrieve a list of all stacks in the Region:

```
aws appstream describe-stacks --endpoint-url https://appstream2-fips.us-west-2.amazonaws.com
```

To specify a FIPS endpoint for WorkSpaces Applications API operations, use the procedure in your AWS SDK for specifying a custom endpoint.

# FIPS Endpoints for User Streaming Sessions
<a name="FIPS-for-user-streaming-sessions"></a>

If you use SAML 2.0 or a streaming URL to authenticate users, you can configure FIPS-compliant connections for your users' streaming sessions.

To use a FIPS-compliant connection for users who authenticate using SAML 2.0, specify an WorkSpaces Applications FIPS endpoint when you configure the relay state of your federation. For more information about constructing a relay state URL for identity federation using SAML 2.0, see [Setting Up SAML](external-identity-providers-setting-up-saml.md).

To configure a FIPS-compliant connection for users who authenticate through a streaming URL, specify an WorkSpaces Applications FIPS endpoint when you call the [CreateStreamingURL](https://docs.aws.amazon.com/appstream2/latest/APIReference/API_CreateStreamingURL.html) or [CreateImageBuilderStreamingURL](https://docs.aws.amazon.com/appstream2/latest/APIReference/API_CreateImageBuilderStreamingURL.html) operation from the AWS CLI or an AWS SDK. A user who connects to a streaming instance using the resulting URL is connected through a FIPS-compliant connection. The following example uses the WorkSpaces Applications FIPS endpoint in the US East (Virginia) Region to generate a FIPS-compliant streaming URL:

```
aws appstream create-streaming-url --stack-name stack-name --fleet-name fleet-name --user-id user-id --endpoint-url https://appstream2-fips.us-east-1.amazonaws.com
```

# Exceptions
<a name="FIPS-exceptions"></a>

FIPS-compliant connections are not supported in the following scenarios:
+ Administration of WorkSpaces Applications through the WorkSpaces Applications console
+ Streaming sessions for users who authenticate using the WorkSpaces Applications user pool feature
+ Streaming using an interface VPC endpoint
+ Generating FIPS-compliant streaming URLs through the WorkSpaces Applications console
+ Connections to your Google Drive or OneDrive storage accounts where your storage provider does not provide a FIPS endpoint