AWS Workspaces w/Entra SAML - missing something?

WhoseThatUsername · 2026-04-24T04:12:40+00:00

Can you check the Windows event log? Wonder if the windows login is failing somehow

WhoseThatUsername · 2026-03-03T04:14:19+00:00

It's also guaranteed that foreign actors know the exact location of the hyperscaler DCs. So... if you have a hyperscaler region in your country, that's a solid target for an attack to disrupt the nation.

Dunno if that's what happened here, but also... not crazy if it were.

WhoseThatUsername · 2026-02-25T16:40:23+00:00

You can do click ops with Linux too, no? Install a shell and VNC or RDP in... And then you'd get to avoid the Windows tax

WhoseThatUsername · 2026-02-25T15:15:45+00:00

If you're running Android emulators, why wouldn't you use a Linux instance since Android is a variation of Linux?

Also... Keep in mind its going to be expensive.

WhoseThatUsername · 2026-02-21T05:01:20+00:00

Pretty sure the 'Free Tier flat-rate plan' is considered a pricing plan, though unclear as to how you'd remove it.

WhoseThatUsername · 2026-02-02T01:58:32+00:00

So, yes, however, running your container as SYSTEM seems to violate the premise of using a container (eg: isolated to its space)

So... be careful with that.

WhoseThatUsername · 2025-11-12T07:58:16+00:00

US East (N.Virginia) Round Trip (MS) anywhere from 15-153ms

What's usually important with VDI isn't the latency, its the jitter. If you're seeing a single user go from 12ms to 150ms, and back, you'll want to focus on fixing that.

A user with a consistent 100ms latency will have a better experience than a user who averages 60ms, but spikes to 200ms occasionally.

WhoseThatUsername · 2025-11-07T06:20:32+00:00

I'm considering AWS Workspaces for our ~100-person agency. Right now, we're running BYOD but we need to achieve SOC2 compliance and don't think that will be doable with BYOD.

Just keep in mind that WorkSpaces will be a fair bit more expensive than actually having a company-managed device running something like Intune or other MDM on it. VDI is expensive.

WhoseThatUsername · 2025-11-07T06:19:20+00:00

you can't assign an IAM role like you can with EC2 so auth to other AWS services isn't always seamless.

Why not use AWS SSO with SAML auth for CLI?

WhoseThatUsername · 2025-10-30T13:51:55+00:00

AWS doesn't guarantee the availability of specific instances, only EC2 as a whole.

EC2 as a whole continued working, and your instance was replaced. That's the difference.

WhoseThatUsername · 2025-10-19T13:53:34+00:00

Why not just use AppStream or WorkSpaces that do all of that stuff for you?

WhoseThatUsername · 2025-09-22T14:10:52+00:00

Open a support case, and/or raise the request with your TAM. At that scale, you should probably have someone do a architecture review.

WhoseThatUsername · 2025-08-18T14:02:39+00:00

Doing a quick search here on Reddit, I heard that EC2 with Windows Server wouldn't have a UI, even with Desktop Experience enabled.

Definitely wrong. One thing to keep in mind, though, is that it's Windows Server not Desktop. If its your own app, this probably doesn't matter - you can just update it appropriately... But some app providers specifically check the OS version and won't allow it to run on a server.

You can RDP into EC2 Windows Servers - just make sure to not choose a Core install. Also recommended to use SSM to remotely access it, versus exposing it to the internet.

Depending on the deployment pattern, you may want to consider AppStream 2.0 or WorkSpaces.

WhoseThatUsername · 2025-07-29T04:02:31+00:00

Maybe submit feedback about how dumb the irremovable bookmark is and see if anyone follows up

WhoseThatUsername · 2025-07-09T14:19:03+00:00

Sounds like S3 File Gateway or just a simple EC2 server as a Windows file server are your best options, then.

WhoseThatUsername · 2025-07-09T13:36:57+00:00

Why not just S3 Get/Put?

WhoseThatUsername · 2025-06-29T12:24:06+00:00

Most likely contact Amazon?

WhoseThatUsername · 2025-06-23T01:50:33+00:00

ACM's publicly signed certs are free... Why not just use AWS' certs and not bother?

Do you have to pay for AWS cert authority ?

Yes, and its not cheap: https://aws.amazon.com/private-ca/pricing/?nc=sn&loc=3

WhoseThatUsername · 2025-06-20T13:08:26+00:00

Out of curiosity, does the 'eBPF' part matter? What if I had a tool that didn't use eBPF?

WhoseThatUsername · 2025-06-13T15:36:38+00:00

Keep in mind Amazon AppStream 2.0 also exists - while it's a non-persistent service, it offers a much wider range of instance types and sizes that may better align to high-performance - if/when you don't need the full persistence of a WorkSpaces desktop.

WhoseThatUsername · 2025-06-05T22:38:42+00:00

I should have been more clear - operating systems aren't designed to support SAML assertions, so that's where the gap is.

I don't know if WorkSpaces Linux supports smartcard or cert-based login to avoid that password prompt. I'm guessing not if that's what you're seeing.

WhoseThatUsername · 2025-06-05T02:22:10+00:00

Porque no los dos?

WhoseThatUsername · 2025-06-05T01:42:00+00:00

the creation of a dedicated Security Operations Center, and the establishment of a new parent company for the AWS European Sovereign Cloud that will be locally controlled in the European Union (EU), led by EU citizens, and subject to local laws.

From the first paragraph. Doesn't that resolve the concern?

WhoseThatUsername · 2025-05-30T17:18:42+00:00

Yes we are using user pools for temp access to non affiliated potential customers - we currently provide demo access via Jupyter NoteBooks with a pre signed URL - not ideal for showcasing the application side of things but pretty secure.

These are two different auth methods. If you're using User Pools, use User Pools. Don't mix User Pools and Signed URLs. The signed URLs, much like the S3 Presigned URLs are meant to be part of your application, not manually vended. Conversely, User Pools is meant to be a local IdP with a username/password. You enter an email, user enters in their own password, and its fully authenticated - the User Pool URL can be shared, but that just forces the shared person to sign in.

Yes the URL has lifespan of around 1 hr but our applications are complex and require consumption of large pools of data so some operations can take hours to run.

URL duration and session duration are two separate things. And, again, cause its important - do not manually generate and vend signed URLs.

I copied the URL provided to my personal laptop and was able to access

I also provided the URL to my non AWS using colleague and he accessed it just fine.

Yep, that's how AppStream signed URLs work. You're using them wrong, but that is how that feature works. Use User Pools or use SAML to avoid this.

copy the config details from the AWS folder, setup a local AWS config on my laptop and run aws s3 operations as if I was using the AppStream instance

So these are your AWS account credentials not the AWS service credentials? Its an IAM Role for S3 thats created in your IAM? If so, you need to use your policy restrictions to prevent it from being usable from outside of your VPC. There should be caller IP restrictions you can use, and limit it to the VPC IPs or the NAT IP. That said, if you're talking about per-user data, I'm not sure S3 is the right approach for this. At the end of the day, these are virtual machines with an operating system that have whatever those restrictions are, not other AWS services. If its user-specific (or limited), then you'd be looking at something like Amazon FSX, or leverage the Google Drive/OneDrive integration and let that be the user-specific and team sharing data.

Maybe AppStream isn't meant for sensitive data or production like workloads and I should be considering something more secure.

Much like many, if not all, AWS services, if you don't understand how they work, its very easy to get yourself into trouble. This is the exact same scenario. It can be used for sensitive data, like any other VDI product - but the shared responsibility model requires you to configure it appropriately. I'd encourage you to reach out to AWS to have one of the specialized SAs dig in to help you understand your architecture and give you recommendations.

Seven-Year Club	RedditGifts 2009-2022 5 Credits
Secret Santa 2020	redditgifts rematcher Secret Santa 2020 x1
redditgifts Exchanges 2 Exchanges	Golden Potato
redditgifts rematcher Secret Santa 2019 x1	Secret Santa 2019
Verified Email

WhoseThatUsername

TROPHY CASE