Check provider logo

Workspace is in a private subnet and its VPC has at least 1 public subnet, 2 private subnets, and a NAT Gateway

workspaces_vpc_2private_1public_subnets_nat

Severityhigh
Serviceworkspaces
by Prowler
trust-boundariesinternet-exposed

Amazon WorkSpaces reside in a VPC that includes 2 private subnets and 1 public subnet, with the WorkSpace launched in a private subnet and the VPC providing NAT Gateway egress.

Risk

Placing WorkSpaces in public subnets or lacking a NAT Gateway exposes desktops to direct Internet reachability, enabling credential attacks and session hijacking, harming confidentiality and integrity. Without controlled egress, updates and directory connectivity can fail, impacting availability and pushing teams to unsafe workarounds.

Run this check with Prowler CLI

prowler aws --checks workspaces_vpc_2private_1public_subnets_nat

Run in Prowler Cloud

Recommendation

Launch WorkSpaces in private subnets and design the VPC with one public and two private subnets. Provide outbound access via a NAT Gateway and restrict inbound exposure per network segmentation and least privilege. Distribute subnets across AZs and avoid assigning public IPs to WorkSpaces for defense in depth.

Remediation

Native IaC
Terraform
Other
  1. In the AWS Console, go to VPC > Internet gateways and ensure an Internet Gateway is attached to the VPC.
  2. Go to VPC > Subnets and ensure the VPC has at least one subnet to use as PUBLIC and two subnets to use as PRIVATE (preferably in different AZs). Create missing subnets if needed.
  3. Go to VPC > NAT Gateways and Create NAT gateway in the PUBLIC subnet, allocating an Elastic IP.
  4. Go to VPC > Route tables:
    • For the PUBLIC subnet's route table: add or ensure a 0.0.0.0/0 route targets the Internet Gateway (this marks it public).
    • For the PRIVATE subnets' route table(s): add or ensure a 0.0.0.0/0 route targets the NAT Gateway and remove any 0.0.0.0/0 route to an Internet Gateway. This makes them private with egress via NAT.
  5. Ensure the WorkSpace's subnet is one of the PRIVATE subnets by associating its subnet to the private route table (Routes: 0.0.0.0/0 -> NAT Gateway).
  6. Verify: the VPC now has >=1 public subnet, >=2 private subnets, at least one NAT Gateway, and the WorkSpace's subnet is private.

Source Code

Resource Type

Other

References