Use the Conformity Knowledge Base AI to help improve your Cloud Posture

WorkSpaces Instances Counts

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: WS-003

Ensure that the number of Amazon WorkSpaces instances provisioned in your AWS account has not reached the limit quota established by your organization for the WorkSpaces workload deployed. By default, Cloud Conformity sets a threshold value of 50 for the maximum number of provisioned instances but you also have the capability to adjust this threshold on your Cloud Conformity dashboard, based on your needs. Once you define your own threshold for the maximum number of WorkSpaces instances that you need to run across all AWS regions, Cloud Conformity engine will start to continuously check your account for WorkSpaces instances and when the number of instances reach the specified count (threshold) you will get notified via communication channels configured within your Cloud Conformity account. If the WorkSpaces limit quota defined for your AWS account is reached, you can create an AWS support case to request limiting the number of provisioned WorkSpaces instances.

This rule can help you with the following compliance standards:

  • APRA
  • MAS

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Sustainability
Security

Monitoring and configuring limits for the maximum number of WorkSpaces instances provisioned within your AWS account will help you to manage better your WorkSpaces compute resources and prevent unexpected charges on your AWS bill. For example, users within your organization can create a lot more WorkSpaces instances than the number established in the company policy regarding resources, exceeding the monthly budget allocated for cloud computing. Or if your AWS account gets compromised and the attacker is launching a fleet of WorkSpaces instances which can drive up fast your AWS WorkSpaces service costs.

Note: The threshold for the maximum number of WorkSpaces instances per AWS account set for this conformity rule is 50 (default value).


Audit

To determine the number of WorkSpaces instances currently available in your AWS account, perform the following:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to WorkSpaces dashboard at https://console.aws.amazon.com/workspaces/.

03 In the left navigation panel click WorkSpaces to access the instances listing page.

04 Check the total number of AWS WorkSpaces instances available in the current AWS region, listed in the top-right section of the dashboard, e.g.

total number of AWS WorkSpaces

05 Change the AWS region from the navigation bar and repeat step no. 4 for all other regions. If the total number of WorkSpaces instances provisioned in your AWS account is greater than 50, the recommended threshold was exceeded, therefore you must take action and raise an AWS support case to limit the number of instances based on your requirements (see Remediation/Resolution section).

Using AWS CLI

01 Run describe-workspaces command (OSX/Linux/UNIX) using custom query filters to list the IDs of all AWS WorkSpaces instances available within the selected region:

aws workspaces describe-workspaces
	--region us-east-1
	--output table
	--query 'Workspaces[*].WorkspaceId'

02 The command output should return a table with the requested WorkSpaces IDs:

--------------------
|DescribeWorkspaces|
+------------------+
|   ws-aaabbbccc   |
|   ws-dddeeefff   |
|   ...            |
|   ws-bbbcccddd   |
|   ws-cccdddeee   |
+------------------+

03 Repeat step no. 1 and 2 to execute describe-workspaces command for all other AWS regions. Each command output should return the IDs of all WorkSpaces instances available in the selected region. Each ID returned represents an individual instance. If the total number of IDs returned is greater than 50 (combined), the recommended limit threshold was exceeded, therefore you must take action and raise an AWS support case to limit the number of WorkSpaces instances that can be provisioned in your account.

Remediation / Resolution

To create an AWS support case in order to request limiting the number of provisioned WorkSpaces instances in your AWS account based on your requirements, perform the following:

Note: Requesting a limit for the number of WorkSpaces instances per region using the AWS API via Command Line Interface (CLI) is not currently supported.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS Support Center dashboard at https://console.aws.amazon.com/support/.

03 In the left navigation panel, choose Create Case to create a new AWS support case.

04 On the Create Case page, perform the following:

  1. Under Regarding, select Service Limit Increase.
  2. Choose WorkSpaces from the Limit Type dropdown list.
  3. In the Request 1 section, perform the following actions:
    • From the Region dropdown list, select the AWS region where you need to limit the creation of WorkSpaces instances.
    • From Bundle Type list, select the type of the bundle used for your instances.
    • Select Workspace Limit from the Limit dropdown list.
    • In the New limit value box, enter the limit value to request for the number of provisioned WorkSpaces instances.
  4. In the Use Case Description textbox, enter a brief description where you explain the limit request so AWS support can evaluate your case promptly.
  5. From Supported Language, choose your preferred correspondence language for the current case.
  6. Under Contact method, select a preferred contact method that AWS support team can use to respond to your request.
  7. Click Submit to send the limit request to Amazon Web Services Support Center.

References

Publication date Sep 13, 2017