Amazon WorkSpaces
A cloud DaaS (Desktop as a Service) that provides fully managed Windows or Linux virtual desktops accessible securely from any device
Overview
Amazon WorkSpaces is a DaaS (Desktop as a Service) that provides fully managed virtual desktop environments in the cloud. It provisions Windows 10/11 or Amazon Linux 2 desktops in minutes, accessible from PCs, Macs, iPads, Chromebooks, and web browsers. Since user data is stored in AWS data centers, it eliminates data leakage risks from device loss or theft. It comes standard with Active Directory integration, MFA, encryption, and IP access controls.
Bundle Selection and Monthly vs. Hourly Billing
WorkSpaces bundles come in seven tiers based on vCPU, memory, storage, and GPU combinations: Value, Standard, Performance, Power, PowerPro, Graphics, and GraphicsPro. Standard (2 vCPU, 4 GB RAM) is sufficient for typical office work (email, browser, Office). Performance (4 vCPU, 8 GB RAM) or Power (8 vCPU, 16 GB RAM) suits developers, while GPU-equipped Graphics/GraphicsPro bundles are needed for 3D CAD and video editing. Two billing models are available: monthly flat rate and hourly billing. Monthly flat rate suits full-time workers who use their desktop 8+ hours daily, at roughly 35 USD/month for a Standard bundle. Hourly billing charges based on usage time, suited for part-time workers or employees who travel frequently. The break-even point is approximately 80 hours per month - beyond that, monthly flat rate is cheaper. Enabling AutoStop automatically stops idle WorkSpaces after a set period, minimizing hourly billing costs.
Directory Integration and Security Design
WorkSpaces user authentication integrates with Active Directory (AD), offering three options: AWS Managed Microsoft AD, AD Connector, and Simple AD. If you have an existing on-premises AD, use AD Connector to delegate authentication to it. AD Connector is a proxy that forwards authentication requests to your on-premises AD, letting users log into WorkSpaces with their existing AD credentials. For new AD deployments, AWS Managed Microsoft AD is recommended, with multi-AZ redundancy configured automatically. On the security front, WorkSpaces streaming protocols (PCoIP or WSP) are encrypted with AES-256. IP access control groups restrict connection source IP addresses, with a common configuration allowing access only from corporate networks or VPN. Clipboard redirection, local printer redirection, and local drive mapping can each be individually enabled or disabled - all are sometimes disabled to prevent data exfiltration. MFA is implemented through RADIUS server integration, requiring one-time password entry at login.
Positioning of WorkSpaces Web and WorkSpaces Thin Client
The WorkSpaces family includes WorkSpaces Web and WorkSpaces Thin Client alongside the full desktop WorkSpaces. WorkSpaces Web provides only a web browser, specializing in secure access to internal web applications and SaaS. It's a cost-effective option for users who don't need a full desktop and only perform browser-based work. Users access WorkSpaces Web from their own device's browser and operate internal systems in an isolated browser environment. Since data is never downloaded to the local device, it's effective for securing BYOD (Bring Your Own Device) environments. WorkSpaces Thin Client is a dedicated hardware device (ASUS-manufactured, approximately 195 USD) - a thin terminal for connecting to WorkSpaces or AppStream 2.0. It reduces PC procurement and management costs while lightening the IT department's device management burden. As a selection guide: choose WorkSpaces for full desktop needs, WorkSpaces Web when a browser is sufficient, and Thin Client + WorkSpaces when you want to simplify device management as well.