Use the Conformity Knowledge Base AI to help improve your Cloud Posture

WorkSpaces Desired Bundle Type

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: WS-004

Determine if your existing AWS WorkSpaces bundles have the desired type established by your organization based on the workload deployed. A bundle defines the hardware and software for AWS WorkSpaces. When you launch a WorkSpaces instance, you select a predefined or a custom bundle that meets your needs. AWS WorkSpaces make available a choice of service bundles providing different hardware and software options. You can choose from predefined Value, Standard, Performance, Power or Graphics bundles that offer different CPU, GPU, memory and storage resources (SSD volumes). Cloud Conformity provides you with the capability to define the desired bundle types based on your workload requirements upon enabling this conformity rule.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Sustainability
Security

Setting limits for the type of AWS WorkSpaces bundles will help you address internal compliance requirements and prevent unexpected charges on your AWS monthly bill.

Note 1: You can also limit your Amazon WorkSpaces bundles to the desired type using AWS Organizations service by implementing your own Service Control Policy on the master account. A Service Control Policy (SCP) is a type of policy that you can use to manage your organization. SCPs enable you to restrict what resources, services and actions the users, groups, and roles in those AWS accounts can use.
Note 2: The desired WorkSpaces bundle type used as example in conformity this rule is Standard. To meet your own organizational requirements, you will need to configure this rule with your desired bundle types.


Audit

To determine if the existing WorkSpaces bundles provisioned within your AWS account have the required type, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to WorkSpaces dashboard at https://console.aws.amazon.com/workspaces/.

03 In the left navigation panel click WorkSpaces to access the instances listing page.

04 Check the bundle type value for each Amazon WorkSpaces instance available in the current AWS region, listed in Bundle column, e.g.

the bundle type value for each Amazon WorkSpaces

If the value listed in the Bundle column is not the same for all listed resources, the WorkSpaces instances available in the selected region were not launched using the desired bundle type, therefore you must take action and raise an AWS support case to limit WorkSpaces instances creation using only the desired/required bundle type (see Remediation/Resolution section).

05 Change the AWS region from the navigation bar and repeat step no. 4 for all other regions.

Using AWS CLI

01 Run describe-workspaces command (OSX/Linux/UNIX) using custom query filters to list the IDs of all AWS WorkSpaces instances available within the selected region:

aws workspaces describe-workspaces
	--region us-east-1
	--output table
	--query 'Workspaces[*].WorkspaceId'

02 The command output should return a table with the requested WorkSpaces IDs:

--------------------
|DescribeWorkspaces|
+------------------+
|   ws-bbbdddeee   |
|   ws-aaabbbccc   |
|   ws-ccceeefff   |
+------------------+

03 Run again describe-workspaces command (OSX/Linux/UNIX) using the name of the WorkSpaces instance as identifier and custom query filters get the ID of the bundle used by the selected instance:

aws workspaces describe-workspaces
	--region us-east-1
	--workspace-ids ws-bbbdddeee
	--query 'Workspaces[*].BundleId'

04 The command output should return the requested WorkSpaces bundle ID:

[
    "wsb-ccc333fff"
]

05 Run describe-workspace-bundles command (OSX/Linux/UNIX) using custom query filters to describe the type of the bundle utilized by the selected AWS WorkSpaces instance:

aws workspaces describe-workspace-bundles
	--region us-east-1
	--bundle-ids wsb-ccc333fff
	--query 'Bundles[*].ComputeType.Name'

06 The command output should return the selected WorkSpaces bundle type:

[
    "PERFORMANCE"
]

07 Repeat steps no. 3 – 6 to verify the bundle type used by the rest of the AWS WorkSpaces instances created in the current region.

08 If the value returned (i.e. bundle type) by the describe-workspace-bundles command output is not the same for all existing instances, the WorkSpaces instances available in the current region were not launched using the desired bundle type, therefore you must take action and raise an AWS support case to limit the provision of WorkSpaces instances using only the desired bundle type.

09 Repeat steps no. 1 – 8 to perform the entire audit process for all other AWS regions.

Remediation / Resolution

To limit the new AWS WorkSpaces instances to the desired bundle type, raise an AWS support case where you explain why you need this type of limitation. For any existing WorkSpaces instances launched without the desired bundle type, just backup (clone) the necessary instances and re-create them using the desired bundle type.
To create the required AWS support case, perform the following actions:

Note: Creating a support case to request the bundle type limitation using the AWS API via Command Line Interface (CLI) is not currently supported.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS Support Center dashboard at https://console.aws.amazon.com/support/.

03 On the Create Case support page, perform the following:

  1. Under Regarding, select Account and Billing Support.
  2. Choose Other Account Issues from the Category dropdown list.
  3. In the Subject field, enter the request subject, e.g. "Limit AWS WorkSpaces instances launch to a desired bundle type".
  4. In the Description textbox, enter a brief description where you explain why you need to limit the provisioning of WorkSpaces instances to a specific bundle type so that AWS support can evaluate your case promptly.
  5. From Supported Language, choose your preferred correspondence language for the current case.
  6. Under Contact method, select a preferred contact method that AWS support team can use to respond to your request.
  7. Click Submit to send the limit request to Amazon Web Services.

References

Publication date Sep 28, 2017