Restrict access to connect to Amazon WorkSpaces Pools
This guide demonstrates how to control user access to WorkSpaces pools based on IP address ranges through IAM role configured for SAML federation.
Rohit Gulati
Amazon Employee
Published May 29, 2025
WorkSpaces Pools offers non-persistent virtual desktops, tailored for users who need access to highly-curated desktop environments hosted on ephemeral infrastructure. It provides customers the flexibility and choice to support a wide range of use cases, including training labs, contact centers, and other shared-environments where users get a fresh virtual desktop every time they log in. Some user settings like bookmarks and files stored in a central storage repository like Amazon S3 or Amazon FSx can be saved. WorkSpaces Pools also simplifies management across a customer’s WorkSpaces environment by providing a single console and set of clients to manage the various desktop hardware configurations, storage, and applications for the user, including Microsoft 365 Apps for enterprise. It offers pay-as-you- go hourly pricing, helping reduce costs.
When you have sensitive information available through WorkSpaces Pools, you can ensure that users access it only through your IP ranges (Geolocation). While you can enforce the source IP restriction through your SAML identity provider, applying it to the IAM role adds another layer of security. This ensures that your users are connecting to their virtual pool desktops from approved offices or devices. This post shows you how to enable source IP-based restrictions to access your WorkSpaces Pools desktops.
To set IP-based restrictions, you must have SAML-based authentication configured with your Amazon WorkSpaces Pools.
- For more information about getting this set up in your account, see:
Configure SAML 2.0 and create a WorkSpaces Pools directory
The source IP-based filter is configured through an IAM Policy associated to the IAM role (created in Step 5 in above document) that a user uses for the SAML 2.0 federation. One option is to create the source IP-based filter policy as an inline policy on the IAM role.
To access the inline policy:
- Open the IAM console at https://console.aws.amazon.com/iam/.
- In the navigation pane, choose Roles.
- Choose the link on the role name that you use for SAML 2.0 federation.
- On the Permissions tab of the role summary, you see your inline policy. Choose the arrow to the left of the policy name to expand it, and select Edit Policy.
Your policy should look similar to the following example: [JSON]
We add a section to this policy to block traffic from everywhere, except the listed IP CIDR range. In this example, it would only allow traffic from a source IP address of <x.x.x.x>. Be sure to replace text within the
< > with your information.Review and save the changes. Now the IAM role that your users use to stream from the WorkSpaces Pools is available only from the specified CIDR ranges specified. When a user attempts to access the stack from an IP not listed within the CIDR range, they'll receive an error stating that they're NOT authorized to access that resource.
And, that’s it. You’ve now limited access to connect to Amazon WorkSpaces Pools virtual desktop to your configured IP ranges.
Any opinions in this post are those of the individual author and may not reflect the opinions of AWS.