# WorkSpaces / Secure Browser session hardening checklist

Use for **WorkSpaces Applications** fleets and **WorkSpaces Secure Browser**
portals before opening access to contractors or regulated data.

## Identity

- [ ] SAML 2.0 federation via IAM Identity Center or corporate IdP — no local users
- [ ] MFA enforced at IdP for all streaming users
- [ ] Group-based entitlements — one portal/fleet per role, not per person
- [ ] Session timeout aligned with policy (e.g. 8h max, 15m idle for contractors)

## Network

- [ ] Streaming resources in **private subnets** — no public IPs on fleet instances
- [ ] Security groups: egress allow-list only (HTTPS 443, required app ports)
- [ ] VPC interface endpoints for S3, KMS, CloudWatch Logs where fleets are private
- [ ] DNS resolves internal apps via Route 53 Resolver rules — not hardcoded hosts file

## WorkSpaces Secure Browser specific

- [ ] Portal VPC association reaches only required subnets
- [ ] Clipboard, file upload, printing disabled unless explicitly approved
- [ ] WebAuthn redirection configured only if FIDO2 required (Chrome 136+, Edge 137+)
- [ ] Session isolation verified — user cannot reach another tenant's portal URL

## WorkSpaces Applications / Core / Personal specific

- [ ] Fleet/instance type rightsized — Graphics only where GPU proven necessary
- [ ] Persistent user volumes encrypted with CMK where policy requires
- [ ] Application catalog single version — no per-user MSI drift
- [ ] Idle disconnect and max session duration set on fleet

## Logging and response

- [ ] CloudWatch Logs / S3 logging enabled for session and admin API activity
- [ ] CloudTrail data events on S3 user-volume buckets if persistent desktops
- [ ] Runbook for stuck sessions, credential compromise, fleet capacity exhaustion
- [ ] Quarterly access review: IdP groups ↔ fleet/portal mapping

## What broke (common)

| Symptom | Likely cause |
|---------|----------------|
| Black screen after login | SG blocks streaming protocol port; check fleet SG and NACL |
| Internal app unreachable | Missing Resolver rule or wrong VPC association on Secure Browser portal |
| Clipboard exfiltration report | Redirection left enabled on contractor portal |
| Auth loop | SAML attribute mismatch — check NameID and role mapping |