Getting Started with AWS WorkSpaces

Page content

This is a set of notes for setting up AWS WorkSpaces, a service for running one or more desktops on the AWS cloud.

Technical Details

Each Windows workspace uses a copy of a Windows Server operating system. This means that you cannot use applications that specifically require a Windows desktop operating system. For example, Microsoft Edge is not available in a workspace.

All workspaces automatically use SSD storage. The capacity of a workspace is determined by the bundle.

AWS WorkSpaces uses the proprietary PCoIP protocol, which is developed by Teradici. You connect to a workspace with either a AWS WorkSpaces client application, or another system that uses PCoIP, such as a thin client unit.

Before You Start, Request a New Service Limit

AWS limit your account to just 1 workspace, until you request a larger limit.

Networking and Directories


A directory requires a VPC with at least 2 subnets. You can have multiple directories on the same VPC.

Each workspace is tied to one user account in one directory. A workspace will exist in one subnet.

Remember that you cannot expand a VPC. If you destroy a VPC you will lose all of the directories, workspaces and images.


For many scenarios, you need to use the full AWS Directory Service for Active Directory. The Simple AD does not support features such as Group Policy and trust relationships between Active Directory domains.

Use Group Policy to manage settings. For example, you can manage the Settings app with Group Policy. AWS provides a policy template for settings that are specific to WorkSpaces. The AWS documentation explains how to install AD administration tools.

Managing Images and Bundles

An image can be attached to multiple bundles. For safety, you cannot delete a bundle with active workspaces.

At the time of writing, you cannot create an image from a workspace that has encrypted drives. This means that the simplest way to create images for your bundles is to follow this process:

  • Create a clean user account
  • Launch a workspace for the new user, without disk encryption
  • Update the workspace and add any management agents
  • Create an image from this workspace
  • Create a custom bundle that uses the new image
  • Destroy the original workspace
  • Ensure that you only create workspaces from your custom bundles