AWS Workspaces

Workspaces IP Access Control Disabled

Risk Level: Medium

Description: 

This plugin ensures IP Access Control is enforced on Workspaces. Workspaces must be protected by attaching IP Access Control groups to them. Without proper groups attached, the workspace can be publicly accessible making it vulnerable. 

About the Service :

Amazon WorkSpaces allows you to provide your users, known as WorkSpaces, with virtual, cloud-based Microsoft Windows or Amazon Linux desktops. WorkSpaces does not need hardware or complicated software to be procured and deployed. When your needs change, you may rapidly add or delete users. Users can use different devices and web browsers to access their virtual desktops.

Impact : 

The absence of this plugin can lead to vulnerabilities by making the workspace accessible to the public which will hinder the security of the organization.

Steps to reproduce :

  1. Log In to AWS Console.
  2. Navigate to the Workspaces dashboard. You use this link to go directly to the dashboard if already logged in.(https://console.aws.amazon.com/workspaces/ )
  3. Then navigate to “Directories” under Workspaces in the left navigation panel.
  4. Select the directory you wish to examine and then click on Update Details from the Actions menu.
  5. The Update Directory Details tab appears. Expand the “IP Access Control  Groups”
  6. Check the IP Groups enabled for the workspace. If no groups are attached, the vulnerability exists.
  7. Repeat the steps for other workspaces.

Steps for remediation :

Enable proper IP Access Controls for all workspaces

  1. Log In to AWS Console.
  2. Navigate to the Workspaces dashboard. You use this link to go directly to the dashboard if already logged in.(https://console.aws.amazon.com/workspaces/ )
  3. Then navigate to “Directories” under Workspaces in the left navigation panel.
  4. Select the vulnerable directory and then click on Update Details from the Actions menu.
  5. The Update Directory Details tab appears. Expand the “IP Access Control  Groups”
  6. Select the IP Groups you wish to attach with the workspace directory by clicking on the checkboxes next to it. Click on Update and Exit after doing the changes.
  7. Repeat the steps for other vulnerable workspaces.