# VDI and secure remote access decision matrix

Pick the **AWS access layer** by what the user actually runs — not by what your
legacy VPN vendor sold you in 2019.

> Product names reflect mid-2026. **Amazon WorkSpaces Applications** is the current
> name for AppStream 2.0 application streaming. **Amazon WorkSpaces Secure Browser**
> is the managed isolated browser (formerly marketed as WorkSpaces Web). Confirm
> console labels and regional availability before procurement.

## 1. "What does the user need to do?"

| User need | AWS service | When to choose |
|-----------|-------------|----------------|
| Access SaaS / internal web apps only; no desktop | **WorkSpaces Secure Browser** | Contractors, BPO, call-center web CRM; lowest attack surface for browser-only work |
| Run one or few Windows/Linux apps (CAD, ERP client, legacy fat client) | **WorkSpaces Applications** | App streaming without full desktop; session isolation per user |
| Full persistent or non-persistent Windows/Linux desktop | **WorkSpaces Personal** or **WorkSpaces Core** | Dev environments, traders, power users needing OS-level tools, local profile |
| macOS desktop | **WorkSpaces Family** (macOS options where available) or third-party | Confirm regional macOS bundle support before committing |

**Opinionated default:** start at the **lowest layer** that satisfies the job —
Secure Browser before Applications before full desktop.

## 2. "What identity and network path?"

| Requirement | Pattern |
|-------------|---------|
| Corporate SSO | SAML 2.0 IdP → IAM Identity Center or direct IdP integration per service |
| Reach private SaaS / intranet | Secure Browser **VPC** association + SG; or full desktop in private subnets |
| No managed endpoint | Secure Browser streams to user's existing Chromium browser — no agent on laptop |
| Clipboard / file exfiltration risk | Disable clipboard redirection; enable session logging; use Secure Browser for untrusted users |

## 3. "When NOT to use AWS streaming"

| Situation | Better path |
|-----------|-------------|
| Users only need AWS Console / CLI | IAM Identity Center + [console private access](/blog/aws-management-console-private-access/) |
| GPU ML training at scale | SageMaker, EC2 G instances — not VDI |
| Mobile-native apps | Device MDM + app wrapping — streaming adds latency without benefit |
| Air-gapped OT floor | Greengrass / SiteWise edge — see manufacturing IoT posts |

## Cost signals (order-of-magnitude)

Use the [cost model worksheet](./cost-model-worksheet.csv) — do not budget from
round numbers in slides. WorkSpaces Secure Browser is typically **seat/month**;
Applications and full desktops are **stream-hour + instance/fleet** dominated.

## Related posts

- [VDI and secure remote workforce on AWS](/blog/aws-vdi-secure-remote-workforce-workspaces-2026/)
- [Console private access](/blog/aws-management-console-private-access/)
- [KMS encryption architecture](/blog/aws-kms-encryption-architecture-cmk-strategy-2026/)