AWS End User Computing
WorkSpaces
Managed cloud virtual desktops for remote and hybrid workforces
Amazon WorkSpaces is a fully managed, persistent cloud desktop service (DaaS) that lets organizations provision Windows or Linux virtual desktops for employees without owning or managing physical hardware. It integrates with Active Directory for identity, supports a range of bundles from value to graphics-intensive, and is billed monthly or hourly - making it relevant for remote workforce, BYOD, and contractor access scenarios that cloud engineers are frequently asked to design.
How WorkSpaces Delivers Virtual Desktops
Each WorkSpace is a dedicated virtual machine running in an AWS-managed VPC. The service uses the PCoIP or WorkSpaces Streaming Protocol (WSP) to stream the desktop experience to the client device. The WorkSpace VM sits in a subnet that AWS manages, but it is connected to your customer-managed VPC via an elastic network interface (ENI), giving it access to your internal resources.
| Component | Description |
|---|---|
| WorkSpace Bundle | Defines the vCPU, RAM, storage, and OS image for the desktop |
| Directory | AWS Managed Microsoft AD, Simple AD, or AD Connector links to your existing AD |
| ENI | Each WorkSpace gets an ENI in your VPC subnet for network access |
| PCoIP / WSP | Streaming protocols that carry display, keyboard, and mouse data to the client |
| WorkSpaces Client | Available for Windows, macOS, Linux, iOS, Android, and Chromebook |
WSP (WorkSpaces Streaming Protocol) is the newer protocol and supports features like bidirectional video and USB redirection. PCoIP is the legacy default. You set the protocol at the WorkSpace level, not the directory level.
Bundle Types and Sizing
WorkSpaces bundles define the compute and storage profile. AWS provides public bundles, and you can create custom bundles from a base WorkSpace that has your software pre-installed.
| Bundle Family | vCPUs | RAM | Storage | Best For |
|---|---|---|---|---|
| Value | 1 | 2 GB | 80 GB root + 10 GB user | Light workers, call centers |
| Standard | 2 | 4 GB | 80 GB root + 50 GB user | General office tasks |
| Performance | 2 | 8 GB | 80 GB root + 100 GB user | Knowledge workers, developers |
| Power | 4 | 16 GB | 175 GB root + 100 GB user | Data analysts, power users |
| PowerPro | 8 | 32 GB | 175 GB root + 100 GB user | Heavy compute workloads |
| Graphics.g4dn | 4 | 16 GB | 100 GB root + 100 GB user | GPU-accelerated design/CAD |
| GraphicsPro | 16 | 122 GB | 100 GB root + 100 GB user | High-end 3D rendering |
You cannot change the bundle of an existing WorkSpace - you must migrate or rebuild it. Plan sizing carefully upfront, or use the hourly billing model so you can rebuild without overspend.
Billing Model: Monthly vs Hourly
WorkSpaces has two billing modes that you set per WorkSpace. Choosing the wrong mode is a common cost mistake.
| Mode | When Charged | Best For | Typical Cost (Standard) |
|---|---|---|---|
| Monthly (AlwaysOn) | Fixed monthly fee regardless of usage | Full-time employees using desktop daily | ~$35/month |
| Hourly (AutoStop) | Per-hour usage + small monthly infrastructure fee | Occasional users, contractors, shift workers | ~$10/month + $0.26/hr |
AutoStop WorkSpaces automatically stop after a configurable idle period (default 1 hour). When the user reconnects, the WorkSpace resumes in about 90 seconds. The root volume and user volume persist across stops.
Break-even for Standard bundle is roughly 80 hours/month. Users working more than 80 hours/month should be on Monthly billing. This is a common interview calculation.
# Switch a WorkSpace from hourly to monthly
aws workspaces modify-workspace-properties \
--workspace-id ws-abc12345 \
--workspace-properties RunningMode=ALWAYS_ON
# Switch to AutoStop with 60-minute timeout
aws workspaces modify-workspace-properties \
--workspace-id ws-abc12345 \
--workspace-properties RunningMode=AUTO_STOP,RunningModeAutoStopTimeoutInMinutes=60Directory and Identity Integration
WorkSpaces requires a directory service for user authentication and WorkSpace assignment. There are three options:
| Directory Type | Description | Best For |
|---|---|---|
| AWS Managed Microsoft AD | Fully managed AD in AWS, supports trusts to on-prem AD | Greenfield or hybrid AD environments |
| Simple AD | Lightweight AD-compatible directory (Samba), no trusts | Small environments with no on-prem AD |
| AD Connector | Proxy that redirects auth to your on-prem AD | Orgs that want WorkSpaces but keep AD on-prem |
With AD Connector, WorkSpaces authenticates against your on-prem domain controllers. The AD Connector itself is deployed in two AZs for redundancy but does not cache credentials - if your on-prem DC is unreachable, users cannot log in.
AD Connector is a single point of dependency on your on-prem network. If the Direct Connect or VPN goes down, WorkSpaces users cannot authenticate. Plan for redundant connectivity when using AD Connector.
Security Controls and Network Architecture
WorkSpaces enforces access through IP whitelisting, MFA, and device-level certificates. The architecture places WorkSpace VMs in AWS-managed infrastructure while connecting them to your VPC via ENIs.
| Security Feature | How to Configure |
|---|---|
| IP Access Control Groups | Allow/deny client IP ranges from reaching the streaming endpoint |
| MFA | Enable RADIUS MFA on the directory via Simple AD or AD Connector |
| Device Certificates | Restrict access to managed devices using certificate-based auth in WSP |
| Client Restrictions | Prevent local drive redirection, clipboard, printing per WorkSpace policy |
| KMS Encryption | Encrypt root and user volumes with customer-managed KMS keys at creation time |
Volume encryption (KMS) must be enabled at WorkSpace creation. You cannot encrypt volumes on an existing unencrypted WorkSpace - you must migrate.
# Create a WorkSpace with KMS-encrypted volumes
aws workspaces create-workspaces --workspaces \
'[{"DirectoryId":"d-9067abc123","UserName":"jsmith","BundleId":"wsb-bh8rsxt14","UserVolumeEncryptionEnabled":true,"RootVolumeEncryptionEnabled":true,"VolumeEncryptionKey":"arn:aws:kms:us-east-1:123456789:key/mrk-abc123","WorkspaceProperties":{"RunningMode":"AUTO_STOP","RunningModeAutoStopTimeoutInMinutes":60}}]'Monitoring, Maintenance, and Fleet Management
WorkSpaces integrates with CloudWatch for metrics and with Systems Manager for patching and software management on Windows WorkSpaces.
| Capability | Tool | Notes |
|---|---|---|
| Connection metrics | CloudWatch | SessionLaunchTime, InSessionLatency, SessionDisconnect |
| OS patching | WorkSpaces Maintenance Window | Weekly 4-hour window; can opt out per WorkSpace |
| Custom AMI | Custom Bundles | Snapshot a configured WorkSpace, create bundle from it |
| Bulk operations | AWS CLI / SDK | Rebuild, reboot, migrate, modify properties at scale |
| Access reports | CloudTrail + CloudWatch Logs | API calls and connection events |
The WorkSpaces maintenance window runs every Sunday 00:00-04:00 in the WorkSpace time zone by default. AWS applies OS updates during this window. Opting out means you are responsible for patching manually via SSM or other tools.
Interview Focus Points
- 1What is the difference between PCoIP and WSP in WorkSpaces, and when would you choose WSP?
- 2Calculate the cost break-even point between monthly and hourly billing for a WorkSpace used 3 days per week.
- 3A company wants to use WorkSpaces but keep Active Directory on-premises. What directory option would you use and what are the failure modes?
- 4How do you enforce that only company-managed devices can connect to WorkSpaces?
- 5A user needs to access a GPU-accelerated application via WorkSpaces. Which bundle would you recommend and why?
- 6WorkSpaces volumes are not encrypted at creation. What is the remediation path?
- 7How does AutoStop affect the user experience compared to AlwaysOn, and how would you minimize the impact?
- 8What monitoring would you set up to detect poor WorkSpaces performance for remote users?
- 9How would you deploy and manage software across a fleet of 500 WorkSpaces without imaging each one?