Luckily, AWS announced the general availability of the AWS Network Firewall back in November 2020 and it was a game changer for such scenarios. Others relied on securing their network by only using Security Groups and Network Access Lists to block specific IP addresses and Ports.
Previously, clients had to route their ingress and egress traffic through either their on-premises Firewalls or purchase a Firewall Appliance subscription from Amazon Marketplace to protect their network from Layer3 - Layer 7 attacks such as IP spoofing, viruses, worms, and trojans. Others prefer to conduct domain name filtering to limit and block specific Fully qualified domain names (FQDNs) from being accessed within their VPC. We have also seen cases where clients require network filtering on their WorkSpaces and AppStream Fleets due to compliance and regulatory reasons such as PCI DSS Requirement 11.4 which requires implementing intrusion detection and intrusion prevention systems.
#Aws workspaces vs appstream software#
One of the open-source Radius software that can be used is FreeRadius.Įnforcing MFA for Amazon AppStream can only be achieved through configuring SAML 2.0 federation with your corporate directory.
#Aws workspaces vs appstream password#
This approach will allow you to use authentication apps like Google Authenticator to first authenticate the username and password against your Active Directory and the Radius Server will be responsible to authenticate the One-Time Password (OTP) generated by Google Authenticator. In WorkSpaces, the only way to enable MFA is through a Radius server integrated either with an on-premises AD or an AWS Managed AD. Unfortunately, MFA is still not an "out of the box" option for those two services however I will list down some workarounds that can enable you to use multi-factor authentication. Limit access to AppStream using SAML-based authentication (AD FS, Azure AD, OKTA, etc.) This feature requires configuring the source IP-based filter policy using an inline policy on the SAML 2.0 federation IAM role.Īnother option would be using AWS PrivateLink endpoints and connecting to your AppStream Fleet through AWS VPN. This feature comes out of the box by Amazon WorkSpaces and is straightforward to use from the console directly.
Limit access to the workspaces using the IP Access Control List functionality. However, some regulations require more and this is where we are going to discuss other topics that explain different ways to secure your Amazon AppStream and Amazon WorkSpaces environments.Īlthough API endpoints for Amazon AppStream and Amazon WorkSpaces just like many other AWS services (Amazon RDS, Amazon S3, Amazon Lambda) are public and can be accessible from the internet, you can still limit access to these services by IP Address using the following methods:
Captcha Prompt to limit incorrect login attempts.Volume Encryption through AWS KMS integration.Network ACLs work as a Second Line of Defense.Network Security Groups that act as a virtual firewall to control the traffic for one or more WorkSpace instances.So, what are some of the security tools that AWS provides to you by default? In today's blog, I will walk you through some best practices to help you secure your Amazon AppStream and Amazon WorkSpaces. Speaking of security, most clients usually have strict security regulation requirements that must be met and are mandatory for compliance reasons. Recently and after the pandemic, organizations started to understand the real benefit of using Desktop-as-a-Service and Application Streaming services on the cloud such as agility, being fully managed, reliability, and security. Amazon AppStream and Amazon WorkSpaces were one of the greatest technologies used by organizations to enable their employees to work remotely through the Covid-19 pandemic.
0 kommentar(er)
