AWS WorkSpaces Trusted Devices – Radkowski

AWS WorkSpaces Trusted Devices

Description

By default, users can access WorkSpaces from any supported device that is connected to the internet. It can be restricted to trusted devices (also known as managed devices) with valid certificates.

When this feature is enabled, Amazon WorkSpaces uses certificate-based authentication to determine whether a device is trusted. If the WorkSpaces client application can't verify that a device is trusted, it blocks attempts to log in or reconnect from the device.

Config (PKI)

1.Clone easyrsa Project

Use following command to clone easyrsa

git clone https://github.com/OpenVPN/easy-rsa.git

VPN_1

2.Initiate PKI

Use following command to initiate PKI

./easyrsa init-pki

VPN_2

3.Create Client cert/key

Use following command to create user key and certificate

./easyrsa build-client-full client1.workspaces.radkowski.cloud nopass

4.Export cert/key

Use following command to export cert/key into p12 format. Enter password to protect file

./easyrsa export-12 client1.workspaces.radkowski.cloud

Config (Workspaces)

5.Update Workspaces directory settings

Log into AWS Console and go to Workspaces. Select Directory and click Update Directory

6.Import CA cert

Select Access Control Options and import root certificate created in step #2

7.Restrict access to Workspaces

Confirm if CA cert has been successfully imported.
Restrict access to Workspaces only for clients with valid certificate

Config (Client)

8.Import certs (#1)

Download both CA and client certificate into your client workstation

9.Import certs (#2)

Import CA to your keychain
Make CA cert trusted

10.Import certs (#2)

Import client certificate to your keychain

11.Import certs (#2)

Confirm if client certificate has been imported successfully and has status set to VALID

Test Area

12.Connect to Workspaces (#1)

Connect to Workspaces using WorkSpaces Client. If your keychain is password protected, enter valid password

13.Connect to Workspaces (#2)

Provide valid AD credentials

14.Connect to Workspaces (#3)

Wait for you session to be resumed started. You should get access to WorkSpaces in 1 min

15.Unauthorised connection (#1)

To confirm that only devices with proper certificates can connect to WorkSpaces, remove previously (step #10) imported client cert

16.Unauthorised connection (#2)

Connection will not be possible as your device is no longer authorised

me@radkowski.pro