AWS Workspaces – how to gather logging information from AWS Workspace network interfaces
While troubleshooting AWS Workspaces issues it is important to be able to gather information more detailed information around network and connectivity, the information below provides and number of options for this.
Solution
Amazon WorkSpaces client applications send WorkSpaces Access events to CloudWatch Events when a user successfully logs into a WorkSpace. These events contain remote client IP address, OS, login time, directory ID and workspace ID. You may use the cloudwatch event rules in a combination with AWS Lambda to identify a pattern and trigger required events.
Alternatively, you may also use Cloudwatch event rules in a combination with AWS SSM to run custom scripts when the pattern is matched.
You may refer to the blog post which provides the steps and guidance to use Cloudwatch events, DynamoDB and Lambda to generate a record of when and from where the users are connecting to the workspaces. You may try this method to record the events in Dynamo DB and generate a report from it.
Furthermore, you may also use AWS command-line interface to get the logging information, the CLI can make API calls while allowing more flexibility and customization to retrieve desired output results. To get started, follow the AWS CLI installation guide and configuration guide.
Once installed and configured, you can utilize the describe-workspace command to get logging information of your WorkSpaces for example:
C:\>aws workspaces describe-workspaces –output table >outputfile.csv
PowerShell scripts can be used as well to generate an output conveniently formatted with desired results. In order to use PowerShell to get a report of the logging activity of WorkSpaces in your account, please follow the below instructions.
*Please note that custom scripts fall outside the scope of support, so we will be limited in our ability to help customize or troubleshoot this script.
-
Identify an EC2 Instance that can be used to run the script.
-
Create an IAM role using the below policy and attach to the EC2 instance
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"workspaces:DescribeWorkspaces",
"workspaces:DescribeWorkspacesConnectionStatus",
"workspaces:DescribeWorkspaceImages",
"workspaces:DescribeWorkspaceDirectories",
"workspaces:DescribeWorkspaceBundles"
],
"Resource": "*"
}
]
}
3. Logon to the EC2 Instance, open PowerShell ISE as administrator and use the below custom script. The script will get the WorkSpace for each object and run in a loop to print the details of each one and then it will output the results to a CSV named “workspacereport.csv” in the current working directory. The above script can be edited to fit the information needed or removing unnecessary columns. We recommend that you test custom scripts in a non-production environment before deploying them to production.
Get-WKSWorkspace | ForEach-Object {
$connstat = Get-WKSWorkspacesConnectionStatus -WorkspaceId $_.WorkspaceId
New-Object PSObject -Property @{
WorkspaceId = $_.WorkspaceId;
User = $_.UserName;
BundleId = $_.BundleId;
ComputerName = $_.ComputerName;
DirectoryId = $_.DirectoryId;
IpAddress = $_.IpAddress;
ConnectionState = $connstat.ConnectionState; LastConnection = $connstat.LastKnownUserConnectionTimestamp;
ConnectionStateCheckTimestamp = $connstat.ConnectionStateCheckTimestamp
}
} | Export-Csv workspacesreport.csv -NoTypeInformation
Additionally, if you are especially looking for information about network interfaces, you may also look into VPC Flow Logs. With VPC Flow logs, you can capture information such as diagnosing overly restrictive security group rules, monitoring the traffic that is reaching your instance, determining the direction of the traffic to and from the network interfaces.
August 20, 2021