Desktop and Application Streaming

Designing and Deploying Secure Environments Using HAQM WorkSpaces

This post was co-written with Ariana Lopez, Sr. Partner Solution Architect at AWS; Scott Weber, Managing Director at PwC US and AWS Ambassador; Justin Guse, Director at PwC US and AWS Ambassador; and Joshua Sarkis, Senior Associate at PwC US.

Building environments to meet various industry regulations and regulated workloads can be a complex task, however, HAQM WorkSpaces Personal provides businesses an opportunity to create a secure, customized environment that can meet their stringent requirements. PwC is an AWS Premier Tier Services Partner offering consulting services and software solutions. PwC is focused on building trust in society and solving important problems. This post will explain how we, PwC, used WorkSpaces to create a secure environment to meet industry regulations and regulated workloads by focusing on these areas: compliance and regulatory requirements, identity and access management, network security, data protection, monitoring, logging, and secure software package management.

WorkSpaces is a fully persistent virtual desktop service. Customers can choose the operating system (OS) that suits their business needs. Another key benefit of using WorkSpaces is the additional security features, like multi-factor authentication (MFA), that can be enabled. WorkSpaces also integrates with AWS Key Management Service (AWS KMS) to encrypt data at rest, disk I/O, and volume snapshots. Furthermore, you can restrict who has access to WorkSpaces, by controlling the IP addresses from which users access their WorkSpaces. WorkSpaces also assists with separation of users as each WorkSpace is assigned to a single user and cannot be shared with others

Problem Statement

One of our clients had a large team of remote software engineers that developed and supported applications for a customer with a highly regulated environment. In their current workflow, each team member developed part of the code on their company-issued laptop, uploaded the code to a shared repository, built and tested the code, then delivered the final product to the customer. While company-issued laptops provided some level of control, they lacked some essential guardrails. Laptops can be lost, connect to public networks, and can have the physical storage removed. Other things we had to consider when working with the client were around common administrative oversight issues including:

  • Developers commonly needing multiple operating systems and installing Linux subsystems which can be increasingly difficult to control.
  • Source code being copied and pasted from one location to another.
  • Laptop operating offline or on unsecure networks.
  • Software and patching vulnerabilities becoming difficult to manage.

We will now explain how we were able to overhaul our client’s use case and describe how we were able to use WorkSpaces to create a secure development workflow that met their compliance and security requirements.

Solutioning with WorkSpaces

Networking

After spending time with the client and understanding their needs and requirements, we had to design a highly regulated environment in AWS. To do this using WorkSpaces, we had to define network boundaries. We created our network and called it the secure network. In conjunction with the network creation, we also restricted outbound internet access from the WorkSpaces. This was accomplished with a combination of strict security group rules and an implicit deny rule at the firewall with exceptions to sites that were allowlisted. The allowlist rules that were added allowed for administrative tasks like patch management.

Core Network

By default, WorkSpaces uses AWS services such as HAQM Virtual Private Cloud (VPC) and AWS Transit Gateway to help define the secure network in AWS. For our hybrid model, we extended the secure network into the data center which can be done using an AWS Direct Connect connection along with an AWS Site-to-Site VPN. For our design, we went with a hub-and-spoke networking solution with high availability. We built a new AWS networking account which handled traffic in and out of the secure network. In this account, we deployed a Transit Gateway behind a set of firewalls to securely handle traffic and properly distribute that traffic to its destination.

Routing & Network Segmentation

In this scenario, WorkSpaces also needed connectivity to the organization’s essential security tooling, patches or updates, and the organization’s identity provider (IdP). We then extended the client’s IdP and security tool stack into the secure network, which reduced traffic in and out. We also used Transit Gateway to provide secure routes between VPCs in other AWS accounts to the centralized networking account. Routes were updated so that traffic was handled by the Transit Gateway and handed off to the firewalls for any internet access. Any traffic leaving the secure network like authentication, logging, and other types, could not contain any sensitive data and IPs.

Architecture diagram showing how to design and deploy secure environments using HAQM WorkSpaces

Security Groups

Another layer of protection we added was establishing strong security group rules for ports and protocols on WorkSpaces. For this WorkSpaces solution, there were two types of security groups: one for the WorkSpaces members and another for the directory connector.

By default, the directory controller’s security group had rules that allowed inbound and outbound traffic to accommodate different types of solutions. This should be scoped down to the set of domain controllers which the AD Connector would be using. Check AWS documentation for additional information on best practices for deploying WorkSpaces. For more granular control, we created a custom security group for our WorkSpaces members to manage traffic.

WorkSpaces Infrastructure and Dependencies

WorkSpaces infrastructure and its dependencies can vary based on the organizational and regulatory requirements. When we designed our WorkSpaces solution, we considered a few things:

  • If an end user, using the same AD username needs access to two personal WorkSpaces at the same time they would need to deploy multiple AD Connectors. For example, developers often need a Windows environment and a Linux environment. WorkSpaces uses a 1:1 mapping between the directory username and a user’s WorkSpace. If there is more than one WorkSpace, multiple AD Connectors could solve this mapping restriction.
  • Tying WorkSpaces into an organization’s existing IdP. Some IdPs require additional infrastructure to handle things like MFA.
  • Maintenance of WorkSpaces was needed to make sure security vulnerabilities were addressed regularly. Patching can be handled in many ways and often requires reboots. We used the WorkSpaces maintenance guide to help us determine what was appropriate for the organization.

WorkSpaces Directories Configuration

To prevent users from obtaining administrator access to their WorkSpace, we disabled the local administrator setting. This is a critical security control that prevented users from elevating their own OS permissions.

Access control options are critical for confirming that only authorized and trusted devices can connect to your environment. With WorkSpaces, you can leverage defense in depth strategies by setting up device trust through client side and root certificates to further secure the environment. These root certificates validate the client certificates, forming a chain of trust that confirms only trusted devices can connect. This is what we used to allow the client’s developers to access WorkSpaces with their company-issued laptops.

Image Building

Our base image building process needed to carefully consider meeting regulatory hardening requirements without breaking operating system functionality. We made sure to create a new base image before any major configuration change to the operating system. Multiple versions of the base image allowed us to roll back any changes that could inhibit a successful deployment.

We worked with the systems administration teams to build the initial set of base images. The number of base images varied based on workforce needs. Core components of our base image included:

  • The latest OS version
  • Required security agents
  • AWS Systems Manager
  • Company branding elements like wallpapers, login screens, and application themes
  • Automation scripts used for maintenance or configuration tasks

Once the systems administration team created the initial base image, we applied hardening techniques to confirm security measures were in place to safeguard against threats and vulnerabilities. The hardening process involved close collaboration between SecOps, Sysadmin, and Developer leads to share key requirements throughout the process. Working documents like a bill of materials and regular cadence also helped to streamline the process.

We also used Group Policy to enforce security settings across Windows environments. AWS Systems Manager is another strong solution for applying security configurations and policies across various operating systems, including Linux platforms.

After installing the necessary applications and agents and applying hardening configurations and policies, we performed a final security check. This included scanning our image with a vulnerability scanning tool. Our scans were run against the appropriate compliance standards that the client was trying to meet. Once scans came back clean, we created custom WorkSpaces bundles for User Acceptance Testing (UAT). This confirmed that the images were ready for the next step. Once the stakeholders were satisfied, the images were added to the library of usable WorkSpaces images.

Image Patching and Lifecycle

Creating a solution that satisfied stakeholders was essential to make sure the image lifecycle adhered to compliance and workflow requirements. Patching operating systems and software could introduce unintended issues, so we worked with the operations teams to have a tested rollback process in place. This is where WorkSpaces was able to help, as it offers a restore feature that reverts to the last successful snapshot, as well as a rebuild feature that applies the image currently associated with the bundle. Another option we could have taken was leveraging a custom script to manage and execute rollbacks across WorkSpaces, which can be highly effective.

To handle patching of Ubuntu WorkSpaces, we relied on the default behavior. For Windows WorkSpaces, we used the built-in Windows Update service to automatically download and install updates. To control the timing and nature of the updates, we had the option of configuring Windows Update settings using Group Policy or local settings on each WorkSpaces. We used Group Policy as that reduced configuration and overhead on system administrators. There are several methods for patching applications and tools installed on WorkSpaces, and in our case we used AWS Systems Manager Patch Manager. Specialized tools focused on automating the patching process helped confirm systems were up-to-date and secure.

Key Benefits

Going back to our problem statement, where our client needed to create a secure alternative workflow for application development for their large development team, we were able to create a secure WorkSpaces environment within their AWS account. Using WorkSpaces for secure development provided the client with several key enhancements:

  • Administrators could migrate WorkSpaces to new bundles with different images. This was very useful if development teams wanted to increase their workforce on a particular project by scaling horizontally.
  • Automated WorkSpaces snapshots help reduce support overhead and limit the risk of data loss and downtime.
  • Patching no longer required laptops to be online and connected to a VPN. This could now occur during planned downtime or off hours.
  • WorkSpaces could be stopped during off hours, reducing costs.
  • New development projects only required one new secure image instead of configuring many laptops.

Conclusion

Throughout this post, we described how we were able to use WorkSpaces to help a client achieve a secure development environment to meet security and regulatory requirements. WorkSpaces was effective in this scenario as it can help businesses meet security requirements with its customizability and its native integrations within AWS. WorkSpaces allows organizations to choose between various images depending on their use cases and business needs. We advise you to consult with your security team to confirm requirements, including local or industry regulations, are addressed…or ask PwC to help you navigate.

Disclaimer: The content and opinions in this post are those of a 3rd party author and AWS is not responsible for the content or accuracy of this post.

About the Authors

Photo of Ariana Lopez, Sr Partner Solution Architect at AWS Ariana Lopez is a Senior Partner Solution Architect at AWS. She has ten years of industry experience spending the majority of her career in cloud. She has experience in cloud automation, strategy, and solution architecting. Today, she is focused on helping Partners architect best practice solutions.
Photo of Justin Guse, Director of PwC;s Cloud Engineering practice Justin Guse is a Director in PwC’s Cloud Engineering practice focused on helping clients solve business challenges with AWS solutions. He brings over 11 years of experience in Cloud architecture, with a focus on Cloud migrations, greenfield deployments, and security. Justin is an AWS Ambassador and an active member of the AWS Certification Subject Matter Expert program serving as a Lead SME.
Photo of Scott Weber, Managing Director at PwC US and AWS Ambassador Scott has worked as a software engineer, software architect, and cloud architect for the last 20 years. He’s worked on AWS projects since 2007. He has been an AWS Ambassador since 2019. He helps customers establish a solid foundation for their AWS journey and has a passion for educating customers on how the AWS Cloud can help them change how their business operates.
Photo of Joshua Sarkis, Senior Associate at PwC US Joshua has 10 years of experience in the tech industry as a Network Engineer, Systems Administrator and IT Systems Architect before becoming an AWS Architect. Over the last 5 years he has worked with clients to modernize their IT Infrastructure, security posture and streamline operations in highly regulated environments.