AWS wellarchitected documentation change
Summary
Updated service references from AppStream 2.0 to WorkSpaces Applications in security best practices documentation
Security assessment
The changes primarily update service name references without altering security recommendations. The content continues to document existing security best practices (IAM roles, application restrictions, S3 security) but applies them to WorkSpaces Applications instead of AppStream 2.0. No new vulnerabilities or security improvements are introduced.
Diff
diff --git a/wellarchitected/latest/end-user-computing-lens/eucsec04-bp01.md b/wellarchitected/latest/end-user-computing-lens/eucsec04-bp01.md index 5c59f2e06..d53d176e1 100644 --- a//wellarchitected/latest/end-user-computing-lens/eucsec04-bp01.md +++ b//wellarchitected/latest/end-user-computing-lens/eucsec04-bp01.md @@ -17 +17 @@ Many organizations have security requirements that mandate the segregation of sy - * **Use[IAM roles with AppStream 2.0](https://docs.aws.amazon.com/appstream2/latest/developerguide/using-iam-roles-to-grant-permissions-to-applications-scripts-streaming-instances.html#how-to-use-iam-role-with-streaming-instances) to enable access to AWS services**: To access AWS services from an AppStream 2.0 instance, use an IAM role and verify that the IAM policy attached to it is scoped to the specific services required. This approach avoids the need for users in AppStream 2.0 sessions to have access with additional credentials. If groups of users require differing levels of access to other AWS services, consider creating an additional role for each set of permissions. To help determine the least privilege policies based on the needed access, analyze user access with AWS IAM Access Analyzer. For further detail, see [Use IAM Access Analyzer policy generation to grant fine-grained permissions for your AWS CloudFormation service roles](https://aws.amazon.com/blogs/security/use-iam-access-analyzer-policy-generation-to-grant-fine-grained-permissions-for-your-aws-cloudformation-service-roles/). + * **Use[IAM roles with WorkSpaces Applications](https://docs.aws.amazon.com/appstream2/latest/developerguide/using-iam-roles-to-grant-permissions-to-applications-scripts-streaming-instances.html#how-to-use-iam-role-with-streaming-instances) to enable access to AWS services**: To access AWS services from an WorkSpaces Applications instance, use an IAM role and verify that the IAM policy attached to it is scoped to the specific services required. This approach avoids the need for users in WorkSpaces Applications sessions to have access with additional credentials. If groups of users require differing levels of access to other AWS services, consider creating an additional role for each set of permissions. To help determine the least privilege policies based on the needed access, analyze user access with AWS IAM Access Analyzer. For further detail, see [Use IAM Access Analyzer policy generation to grant fine-grained permissions for your AWS CloudFormation service roles](https://aws.amazon.com/blogs/security/use-iam-access-analyzer-policy-generation-to-grant-fine-grained-permissions-for-your-aws-cloudformation-service-roles/). @@ -19 +19 @@ Many organizations have security requirements that mandate the segregation of sy - * **Restrict access to only authorized applications** : By default, AppStream 2.0 allows users or applications to start programs on the instance, beyond what is specified in the image application catalog. This is useful when your application relies on another application as part of a workflow, but it may be undesirable for the user to be able to start that dependent application directly. For example, an application starts the browser to provide help instructions from an application vendor's website, but the ability for the user to start the browser directly must be blocked. + * **Restrict access to only authorized applications** : By default, WorkSpaces Applications allows users or applications to start programs on the instance, beyond what is specified in the image application catalog. This is useful when your application relies on another application as part of a workflow, but it may be undesirable for the user to be able to start that dependent application directly. For example, an application starts the browser to provide help instructions from an application vendor's website, but the ability for the user to start the browser directly must be blocked. @@ -21 +21 @@ Many organizations have security requirements that mandate the segregation of sy -In some situations, it can be desirable to control which applications can be launched on streaming instances. Microsoft AppLocker is application control software that uses explicit control policies to enable, or disable, the applications a user can run. An alternative to Microsoft AppLocker is FSLogix Application Masking which is available with Windows desktop and server operating systems. The [use of application entitlements with AppStream 2.0](https://docs.aws.amazon.com/appstream2/latest/developerguide/manage-application-entitlements.html) can restrict the ability of users to launch only authorized applications, but this control by itself does not prevent the launch of other applications on AppStream 2.0 instances. To achieve this, we recommend the two preceding approaches AppLocker or FSLogix. +In some situations, it can be desirable to control which applications can be launched on streaming instances. Microsoft AppLocker is application control software that uses explicit control policies to enable, or disable, the applications a user can run. An alternative to Microsoft AppLocker is FSLogix Application Masking which is available with Windows desktop and server operating systems. The [use of application entitlements with WorkSpaces Applications](https://docs.aws.amazon.com/appstream2/latest/developerguide/manage-application-entitlements.html) can restrict the ability of users to launch only authorized applications, but this control by itself does not prevent the launch of other applications on WorkSpaces Applications instances. To achieve this, we recommend the two preceding approaches AppLocker or FSLogix. @@ -23 +23 @@ In some situations, it can be desirable to control which applications can be lau - * **Secure access to the S3 buckets used by Amazon AppStream 2.0:** Review, maintain, and update S3 bucket policies as appropriate. These reviews should verify that restricted access is in place to protect S3 buckets that are created and used to persist user data for both home folders and application settings persistence when enabled. This blocks non-AppStream 2.0 administrators from accessing the data. Use S3 bucket policies and IAM policies together. For more information, see [IAM Policies and Bucket Policies and ACLs! Oh, My! (Controlling Access to S3 Resources)](https://aws.amazon.com/blogs/security/iam-policies-and-bucket-policies-and-acls-oh-my-controlling-access-to-s3-resources/). + * **Secure access to the S3 buckets used by Amazon WorkSpaces Applications:** Review, maintain, and update S3 bucket policies as appropriate. These reviews should verify that restricted access is in place to protect S3 buckets that are created and used to persist user data for both home folders and application settings persistence when enabled. This blocks non-WorkSpaces Applications administrators from accessing the data. Use S3 bucket policies and IAM policies together. For more information, see [IAM Policies and Bucket Policies and ACLs! Oh, My! (Controlling Access to S3 Resources)](https://aws.amazon.com/blogs/security/iam-policies-and-bucket-policies-and-acls-oh-my-controlling-access-to-s3-resources/).