AWS WorkSpaces provides a flexible and secure way to deploy virtual desktops in the cloud, offering users a familiar desktop experience accessible from anywhere. When combined with AWS Managed Active Directory (AWS Managed AD) and FreeRADIUS for multi-factor authentication (MFA), you can enhance security and manage access effectively. This guide walks through the steps to set up AWS WorkSpaces with these components.

Prerequisites

Before you begin, ensure you have the following:

  • An AWS account with administrative access.
  • AWS Managed Microsoft AD set up in your AWS account.
  • Knowledge of AWS networking basics.
  • Familiarity with AWS WorkSpaces setup.

Step 1: Set Up AWS Managed Microsoft AD

  1. Create AWS Managed Microsoft AD:
    • Navigate to the AWS Management Console.
    • Open the AWS Directory Service console at https://console.aws.amazon.com/directoryservice/.
    • Choose “Create directory” and select “AWS Managed Microsoft AD.”
    • Follow the prompts to configure your directory details, such as directory DNS name, VPC settings, and administrative privileges.
  2. Configure Networking:
    • Ensure that your AWS Managed Microsoft AD is set up within a VPC with proper connectivity to your AWS resources and WorkSpaces.

Step 2: Set Up FreeRADIUS for Multi-Factor Authentication (MFA)

  1. Launch an EC2 Instance for FreeRADIUS:
    • Navigate to the EC2 console at https://console.aws.amazon.com/ec2/.
    • Launch an EC2 instance using a suitable Amazon Machine Image (AMI) that supports FreeRADIUS (e.g., Ubuntu, CentOS).
    • Ensure the instance has appropriate IAM roles to interact with AWS services like AWS Managed AD.
  2. Install and Configure FreeRADIUS:
    • SSH into your EC2 instance.
    • Install FreeRADIUS using your package manager (apt-get for Ubuntu, yum for CentOS).
    • Configure FreeRADIUS to authenticate against AWS Managed AD. This typically involves editing the radiusd.conf and clients.conf files to point to your AWS Managed AD LDAP endpoint and configuring appropriate authentication methods (e.g., LDAP bind).
  3. Set Up MFA with FreeRADIUS:
    • Configure FreeRADIUS to use a suitable MFA method (e.g., Google Authenticator, DUO Security).
    • Integrate with your chosen MFA provider by configuring their plugin or module within FreeRADIUS.

Step 3: Configure AWS WorkSpaces

  1. Launch AWS WorkSpaces:
    • Navigate to the AWS WorkSpaces console at https://console.aws.amazon.com/workspaces/.
    • Choose “Launch WorkSpaces” and select the desired bundle and user settings.
    • Ensure that during the launch, you select your AWS Managed AD directory as the directory to join for authentication.
  2. Configure WorkSpaces Client Access:
    • Allow inbound network traffic on TCP port 3389 (RDP) from your WorkSpaces clients to the WorkSpaces instances.
    • Optionally, configure AWS WorkSpaces Application Manager (WAM) for centralized application management.

Step 4: Integrate FreeRADIUS with AWS Managed AD

  1. Test Authentication:
    • Ensure that users can authenticate using their AWS Managed AD credentials.
    • Verify that MFA is enforced through FreeRADIUS after initial AD authentication.
  2. Monitor and Manage:
    • Set up monitoring and logging for your FreeRADIUS instance using AWS CloudWatch.
    • Implement IAM roles and policies to manage access to FreeRADIUS and related resources securely.

Conclusion

By setting up AWS WorkSpaces with AWS Managed AD and integrating FreeRADIUS for MFA, you enhance security and control over your virtual desktop environment. This setup provides robust authentication mechanisms while leveraging AWS’s scalable and reliable infrastructure. Follow the steps outlined above to establish a secure and efficient AWS WorkSpaces deployment tailored to your organizational needs.