DEV Community

Unlocking Secure Web Access with Amazon WorkSpaces Secure Browser

Amazon Workspaces Secure Browser

Amazon Workspaces Secure Browser offers a secure environment for users to access private websites, SaaS applications, and the public internet. It operates within the user’s local browser, streaming encrypted pixels from a remote session hosted in the highly secure AWS cloud. Starting at just $7 per month, it eliminates the need for managing specialized client software, infrastructure, and VPN connections.

This service is particularly beneficial for organizations implementing Bring-Your-Own-Device (BYOD) policies, as it ensures sensitive web content never directly touches the end user’s device while providing cost-effective, secure access. Additionally, it’s ideal for scenarios like customer support, analytics environments, and safe browsing for high-security networks

End User Experience

The login page for Amazon WorkSpaces Secure Browser is seamlessly integrated with the user’s identity provider (idP). When users click ‘Sign In,’ they are redirected to their respective idP provider’s page (e.g., Entra login page). After successful authentication, users are redirected back to the Secure Browser page, where the application is initiated.

Image description

Image description

As depicted in the screenshot below, we securely publish an intranet site using Amazon WorkSpaces Secure Browser. Within this environment, you can enforce controls such as disabling clipboard functionality and file transfers. By default, internet access is restricted for Secure Browser instances.

Image description

Configuring WorkSpaces Secure Browser

In the AWS Console, navigate to WorkSpaces secure browser. In the Secure Browser home page, click on “create portal” to initiate the creation of new Workspaces Secure Browser.

Image description

In the “Specify networking connection” page, select your VPC, private subnets and security group where the micro instances will get spin up to handle the workspaces browser and Click next.

Image description

In the “Configure portal settings” page, select the Display name of the portal, instance type and the maximum concurrent users/instance.

Image description

The user access logging is captured into a kinesis data stream. Make sure you create the Kinesis data stream with the naming convention “amazon-workspaces-web-*” and also the server authentication is disabled.
The below screenshot shows the Kinesis data stream created for storing the user access logging details.

Image description

You can also enable IP access control to ensure that the users from a particular network is only allowed to access the browser.

Image description

The policy settings allow you to configure your browser startup page, URL filtering to allow and deny specific URLs and also to configure pre-build browser bookmarks.

Image description

Image description

The “select user settings" page allows the administrator to configure clipboard permissions, file transfer permissions and also session timeout settings.

Image description

The “configure identity provider” settings allow administrators to integrate the secure browser via idp providers like Entra, OKTA etc.
In this blog post, I used Microsoft Entra for authentication purposes.

Select the radio button next to the “Standard (external IdP) and click on “Continue with standard IdP.

Image description

Download the SP metadata file which we will be importing to our enterprise application in Entra.
Image description

To configure the enterprise application, login to Azure portal and navigate to Entra ID.
Under Enterprise applications, select “+ new application”.

Image description

In the Browse Microsoft Entra Gallery page, select "+ Create your own application”.

Image description

In the “Create your own application” page, select the name of the application and select the radio button next to “Integrate any other application you don’t find in the gallery” and Click Finish.

Image description

Go to the newly created enterprise application and click on Single sign on.

Image description

In the single sign on method, select SAML option.

Image description

In the SAML based sign-on page, click on “upload metadata file, and select the SP metadata file we downloaded from the aws console.

Image description

Image description

After successfully uploading the metadata file, the App federation metadata URL will get generated. Go back to the Workspaces IdP configuration page and click on the radio button next to “Enter metadata endpoint URL” and provide the URL copied from Entra App page.

Image description

In the “Review and launch” page, verify the configuration and click on finish to launch the secure browser.

Image description

The portal page looks like below and the status will become Active.

Image description

Monitoring the Secure Browser.

CloudWatch metrics can be utilized to monitor Amazon Workspaces Secure Browser. These metrics are defined under ‘WorkSpacesWeb’ and include five default portal metrics.

  1. Session Attempt

  2. Session success

  3. Session failure

  4. Global memory percentage

  5. global Cpu percentage
    Image description

Image description

The kinesis data streams metrics can be also monitored using Cloudwatch.

Image description

Auditing the WorkSpaces Secure Browser Admin activities

CloudTrail can be used to monitor the admin activities related to the Secure browser

Image description

The End User access logging can be monitored via Kinesis data stream logs.

The WorkSpaces secure browser is a good option for remote workers who only leverages Web/SaaS Applications as part of the day to day activities.

Hope this blog helps you to understand how secure browser can be configured in a real scenario.

Top comments (1)

Collapse
 
jasondunn profile image
Jason Dunn [AWS]

Very detailed article, nicely done!