Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Unused WorkSpaces

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: WS-001

Identify and remove any unused AWS WorkSpaces instances available within your AWS account to help lower the cost of your monthly AWS bill. An AWS WorkSpaces instance (i.e. virtual desktop) is considered unused if has 0 (zero) known user connections registered within the past 30 days (default threshold).

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Sustainability
Cost
optimisation

Any WorkSpaces instance provisioned within your account is adding charges to your AWS bill, regardless whether is being used or not. Cloud Conformity highly recommends removing any unused WorkSpaces instances available in your account in order to optimize the service usage charges and reduce your monthly AWS costs.

Note: You can easily change the default threshold value (i.e. 30 days) for the number of days with login inactivity on the Cloud Conformity console.


Audit

To determine if there are any unused Amazon WorkSpaces instances currently available in your AWS account, perform the following:

Using AWS Console

01 Log in to the AWS Management Console.

02 Navigate to WorkSpaces dashboard at https://console.aws.amazon.com/workspaces/.

03 In the left navigation panel click WorkSpaces to access the service instances listing page.

04 Choose the WorkSpaces instance that you want to examine then click on its Hide or Show Details button:

Hide or Show Details button

to open the instance details panel.

05 On the selected instance configuration details panel, verify the User Last Active attribute value to determine the last time when a known user accessed the WorkSpaces instance. If the last user login was registered more than 30 days ago (e.g. Feb 16, 2017 10:32:54 UTC), the selected WorkSpaces instance is not in use anymore and can be safely removed from your AWS account in order to stop accumulating unnecessary usage charges.

06 Repeat step no. 4 and 5 to verify the last user login, returned by the User Last Active attribute value, for other WorkSpaces instances provisioned in the current region.

07 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-workspaces command (OSX/Linux/UNIX) using custom query filters to list the IDs of all WorkSpaces instances available within the selected region:

aws workspaces describe-workspaces
	--region us-east-1
	--output table
	--query 'Workspaces[*].WorkspaceId'

02 The command output should return a table with the requested WorkSpaces IDs:

--------------------
|DescribeWorkspaces|
+------------------+
|   ws-7cgsl2k65   |
|   ws-8d6il5kr3   |
|   ws-2dtyl1g47   |
+------------------+

03 Now run describe-workspaces-connection-status command (OSX/Linux/UNIX) using the ID of the WorkSpaces instance that you want to examine as identifier and the necessary query filters to return the timestamp (UNIX format) of the last known user connection (i.e. user login):

aws workspaces describe-workspaces-connection-status
	--region us-east-1
	--workspace-ids ws-7cgsl2k65
	--query 'WorkspacesConnectionStatus[*].LastKnownUserConnectionTimestamp'

04 The command output should return the timestamp of the last known user login recorded for the selected instance:

[
    1489139777.721
]

05 Now run date command (Linux/UNIX) using the timestamp value returned at the previous step to convert it to a human readable date value:

date -d @1489139777.721

06 The command output should return the requested date in human readable format (UTC time):

Fri Mar 10 09:56:17 UTC 2017

If the last user login date returned at the previous step was more than 30 days ago, the selected WorkSpaces instance is not utilized anymore and can be safely removed from your AWS account to optimize the WorkSpaces service usage charges.

07 Repeat steps no. 3 – 6 to verify the last known user login date recorded for other WorkSpaces instances available within the current region.

08 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 7 to perform the entire audit process for other regions.

Remediation / Resolution

To terminate any unused Amazon WorkSpaces instances currently available in your AWS account, perform the following commands:

Using AWS Console

01 Log in to the AWS Management Console.

02 Navigate to WorkSpaces dashboard at https://console.aws.amazon.com/workspaces/.

03 In the navigation panel click WorkSpaces to open the instances listing page.

04 Select the WorkSpaces instance that you want to delete (see Audit section part I to identify the right resource).

05 Click the Actions dropdown button from the dashboard top menu and select Remove WorkSpaces to initiate the instance removal process.

06 Within the Remove WorkSpaces dialog box, review the necessary configuration details then click Remove WorkSpaces to delete the selected instance. The instance removal may take up to 5 minutes to complete.

07 Repeat steps no. 4 - 6 to delete any unused AWS WorkSpaces instances provisioned in the current region.

08 Change the AWS region from the navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run terminate-workspaces command (OSX/Linux/UNIX) using the ID of the WorkSpaces instance that you want to delete (see Audit section part II to identify the right instance) to remove the resource from your AWS account:

aws workspaces terminate-workspaces
	--region us-east-1
	--terminate-workspace-requests ws-7cgsl2k65

02 If the request succeeded, the command output should return an empty FailedRequests array, as shown in the output example below:

{
    "FailedRequests": []
}

03 Repeat step no. 1 and 2 to remove any unused AWS WorkSpaces instances available within the selected region.

04 Change the AWS region by updating the --region command parameter value and repeat the entire process for other regions.

References

Publication date Mar 13, 2017