aws workspaces

Amazon WorkSpaces Service Amazon WorkSpaces enables you to provision virtual, cloud-based Microsoft Windows and Amazon Linux desktops for your users

Subcommands

NameDescription
associate-connection-aliasAssociates the specified connection alias with the specified directory to enable cross-Region redirection. For more information, see Cross-Region Redirection for Amazon WorkSpaces. Before performing this operation, call DescribeConnectionAliases to make sure that the current state of the connection alias is CREATED
associate-ip-groupsAssociates the specified IP access control group with the specified directory
authorize-ip-rulesAdds one or more rules to the specified IP access control group. This action gives users permission to access their WorkSpaces from the CIDR address ranges specified in the rules
copy-workspace-imageCopies the specified image from the specified Region to the current Region. For more information about copying images, see Copy a Custom WorkSpaces Image. In the China (Ningxia) Region, you can copy images only within the same Region. In the AWS GovCloud (US-West) Region, to copy images to and from other AWS Regions, contact AWS Support. Before copying a shared image, be sure to verify that it has been shared from the correct AWS account. To determine if an image has been shared and to see the AWS account ID that owns an image, use the DescribeWorkSpaceImages and DescribeWorkspaceImagePermissions API operations
create-connection-aliasCreates the specified connection alias for use with cross-Region redirection. For more information, see Cross-Region Redirection for Amazon WorkSpaces
create-ip-groupCreates an IP access control group. An IP access control group provides you with the ability to control the IP addresses from which users are allowed to access their WorkSpaces. To specify the CIDR address ranges, add rules to your IP access control group and then associate the group with your directory. You can add rules when you create the group or at any time using AuthorizeIpRules. There is a default IP access control group associated with your directory. If you don't associate an IP access control group with your directory, the default group is used. The default group includes a default rule that allows users to access their WorkSpaces from anywhere. You cannot modify the default IP access control group for your directory
create-tagsCreates the specified tags for the specified WorkSpaces resource
create-workspace-bundleCreates the specified WorkSpace bundle. For more information about creating WorkSpace bundles, see Create a Custom WorkSpaces Image and Bundle
create-workspacesCreates one or more WorkSpaces. This operation is asynchronous and returns before the WorkSpaces are created
delete-connection-aliasDeletes the specified connection alias. For more information, see Cross-Region Redirection for Amazon WorkSpaces. If you will no longer be using a fully qualified domain name (FQDN) as the registration code for your WorkSpaces users, you must take certain precautions to prevent potential security issues. For more information, see Security Considerations if You Stop Using Cross-Region Redirection. To delete a connection alias that has been shared, the shared account must first disassociate the connection alias from any directories it has been associated with. Then you must unshare the connection alias from the account it has been shared with. You can delete a connection alias only after it is no longer shared with any accounts or associated with any directories
delete-ip-groupDeletes the specified IP access control group. You cannot delete an IP access control group that is associated with a directory
delete-tagsDeletes the specified tags from the specified WorkSpaces resource
delete-workspace-bundleDeletes the specified WorkSpace bundle. For more information about deleting WorkSpace bundles, see Delete a Custom WorkSpaces Bundle or Image
delete-workspace-imageDeletes the specified image from your account. To delete an image, you must first delete any bundles that are associated with the image and unshare the image if it is shared with other accounts
deregister-workspace-directoryDeregisters the specified directory. This operation is asynchronous and returns before the WorkSpace directory is deregistered. If any WorkSpaces are registered to this directory, you must remove them before you can deregister the directory. Simple AD and AD Connector are made available to you free of charge to use with WorkSpaces. If there are no WorkSpaces being used with your Simple AD or AD Connector directory for 30 consecutive days, this directory will be automatically deregistered for use with Amazon WorkSpaces, and you will be charged for this directory as per the AWS Directory Services pricing terms. To delete empty directories, see Delete the Directory for Your WorkSpaces. If you delete your Simple AD or AD Connector directory, you can always create a new one when you want to start using WorkSpaces again
describe-accountRetrieves a list that describes the configuration of Bring Your Own License (BYOL) for the specified account
describe-account-modificationsRetrieves a list that describes modifications to the configuration of Bring Your Own License (BYOL) for the specified account
describe-client-propertiesRetrieves a list that describes one or more specified Amazon WorkSpaces clients
describe-connection-alias-permissionsDescribes the permissions that the owner of a connection alias has granted to another AWS account for the specified connection alias. For more information, see Cross-Region Redirection for Amazon WorkSpaces
describe-connection-aliasesRetrieves a list that describes the connection aliases used for cross-Region redirection. For more information, see Cross-Region Redirection for Amazon WorkSpaces
describe-ip-groupsDescribes one or more of your IP access control groups
describe-tagsDescribes the specified tags for the specified WorkSpaces resource
describe-workspace-bundlesRetrieves a list that describes the available WorkSpace bundles. You can filter the results using either bundle ID or owner, but not both
describe-workspace-directoriesDescribes the available directories that are registered with Amazon WorkSpaces
describe-workspace-image-permissionsDescribes the permissions that the owner of an image has granted to other AWS accounts for an image
describe-workspace-imagesRetrieves a list that describes one or more specified images, if the image identifiers are provided. Otherwise, all images in the account are described
describe-workspace-snapshotsDescribes the snapshots for the specified WorkSpace
describe-workspacesDescribes the specified WorkSpaces. You can filter the results by using the bundle identifier, directory identifier, or owner, but you can specify only one filter at a time
describe-workspaces-connection-statusDescribes the connection status of the specified WorkSpaces
disassociate-connection-aliasDisassociates a connection alias from a directory. Disassociating a connection alias disables cross-Region redirection between two directories in different AWS Regions. For more information, see Cross-Region Redirection for Amazon WorkSpaces. Before performing this operation, call DescribeConnectionAliases to make sure that the current state of the connection alias is CREATED
disassociate-ip-groupsDisassociates the specified IP access control group from the specified directory
import-workspace-imageImports the specified Windows 10 Bring Your Own License (BYOL) image into Amazon WorkSpaces. The image must be an already licensed Amazon EC2 image that is in your AWS account, and you must own the image. For more information about creating BYOL images, see Bring Your Own Windows Desktop Licenses
list-available-management-cidr-rangesRetrieves a list of IP address ranges, specified as IPv4 CIDR blocks, that you can use for the network management interface when you enable Bring Your Own License (BYOL). This operation can be run only by AWS accounts that are enabled for BYOL. If your account isn't enabled for BYOL, you'll receive an AccessDeniedException error. The management network interface is connected to a secure Amazon WorkSpaces management network. It is used for interactive streaming of the WorkSpace desktop to Amazon WorkSpaces clients, and to allow Amazon WorkSpaces to manage the WorkSpace
migrate-workspaceMigrates a WorkSpace from one operating system or bundle type to another, while retaining the data on the user volume. The migration process recreates the WorkSpace by using a new root volume from the target bundle image and the user volume from the last available snapshot of the original WorkSpace. During migration, the original D:\Users\%USERNAME% user profile folder is renamed to D:\Users\%USERNAME%MMddyyTHHmmss%.NotMigrated. A new D:\Users\%USERNAME%\ folder is generated by the new OS. Certain files in the old user profile are moved to the new user profile. For available migration scenarios, details about what happens during migration, and best practices, see Migrate a WorkSpace
modify-accountModifies the configuration of Bring Your Own License (BYOL) for the specified account
modify-client-propertiesModifies the properties of the specified Amazon WorkSpaces clients
modify-selfservice-permissionsModifies the self-service WorkSpace management capabilities for your users. For more information, see Enable Self-Service WorkSpace Management Capabilities for Your Users
modify-workspace-access-propertiesSpecifies which devices and operating systems users can use to access their WorkSpaces. For more information, see Control Device Access
modify-workspace-creation-propertiesModify the default properties used to create WorkSpaces
modify-workspace-propertiesModifies the specified WorkSpace properties. For important information about how to modify the size of the root and user volumes, see Modify a WorkSpace
modify-workspace-stateSets the state of the specified WorkSpace. To maintain a WorkSpace without being interrupted, set the WorkSpace state to ADMIN_MAINTENANCE. WorkSpaces in this state do not respond to requests to reboot, stop, start, rebuild, or restore. An AutoStop WorkSpace in this state is not stopped. Users cannot log into a WorkSpace in the ADMIN_MAINTENANCE state
reboot-workspacesReboots the specified WorkSpaces. You cannot reboot a WorkSpace unless its state is AVAILABLE or UNHEALTHY. This operation is asynchronous and returns before the WorkSpaces have rebooted
rebuild-workspacesRebuilds the specified WorkSpace. You cannot rebuild a WorkSpace unless its state is AVAILABLE, ERROR, UNHEALTHY, STOPPED, or REBOOTING. Rebuilding a WorkSpace is a potentially destructive action that can result in the loss of data. For more information, see Rebuild a WorkSpace. This operation is asynchronous and returns before the WorkSpaces have been completely rebuilt
register-workspace-directoryRegisters the specified directory. This operation is asynchronous and returns before the WorkSpace directory is registered. If this is the first time you are registering a directory, you will need to create the workspaces_DefaultRole role before you can register a directory. For more information, see Creating the workspaces_DefaultRole Role
restore-workspaceRestores the specified WorkSpace to its last known healthy state. You cannot restore a WorkSpace unless its state is AVAILABLE, ERROR, UNHEALTHY, or STOPPED. Restoring a WorkSpace is a potentially destructive action that can result in the loss of data. For more information, see Restore a WorkSpace. This operation is asynchronous and returns before the WorkSpace is completely restored
revoke-ip-rulesRemoves one or more rules from the specified IP access control group
start-workspacesStarts the specified WorkSpaces. You cannot start a WorkSpace unless it has a running mode of AutoStop and a state of STOPPED
stop-workspacesStops the specified WorkSpaces. You cannot stop a WorkSpace unless it has a running mode of AutoStop and a state of AVAILABLE, IMPAIRED, UNHEALTHY, or ERROR
terminate-workspacesTerminates the specified WorkSpaces. Terminating a WorkSpace is a permanent action and cannot be undone. The user's data is destroyed. If you need to archive any user data, contact AWS Support before terminating the WorkSpace. You can terminate a WorkSpace that is in any state except SUSPENDED. This operation is asynchronous and returns before the WorkSpaces have been completely terminated. After a WorkSpace is terminated, the TERMINATED state is returned only briefly before the WorkSpace directory metadata is cleaned up, so this state is rarely returned. To confirm that a WorkSpace is terminated, check for the WorkSpace ID by using DescribeWorkSpaces. If the WorkSpace ID isn't returned, then the WorkSpace has been successfully terminated. Simple AD and AD Connector are made available to you free of charge to use with WorkSpaces. If there are no WorkSpaces being used with your Simple AD or AD Connector directory for 30 consecutive days, this directory will be automatically deregistered for use with Amazon WorkSpaces, and you will be charged for this directory as per the AWS Directory Services pricing terms. To delete empty directories, see Delete the Directory for Your WorkSpaces. If you delete your Simple AD or AD Connector directory, you can always create a new one when you want to start using WorkSpaces again
update-connection-alias-permissionShares or unshares a connection alias with one account by specifying whether that account has permission to associate the connection alias with a directory. If the association permission is granted, the connection alias is shared with that account. If the association permission is revoked, the connection alias is unshared with the account. For more information, see Cross-Region Redirection for Amazon WorkSpaces. Before performing this operation, call DescribeConnectionAliases to make sure that the current state of the connection alias is CREATED. To delete a connection alias that has been shared, the shared account must first disassociate the connection alias from any directories it has been associated with. Then you must unshare the connection alias from the account it has been shared with. You can delete a connection alias only after it is no longer shared with any accounts or associated with any directories
update-rules-of-ip-groupReplaces the current rules of the specified IP access control group with the specified rules
update-workspace-bundleUpdates a WorkSpace bundle with a new image. For more information about updating WorkSpace bundles, see Update a Custom WorkSpaces Bundle. Existing WorkSpaces aren't automatically updated when you update the bundle that they're based on. To update existing WorkSpaces that are based on a bundle that you've updated, you must either rebuild the WorkSpaces or delete and recreate them
update-workspace-image-permissionShares or unshares an image with one account in the same AWS Region by specifying whether that account has permission to copy the image. If the copy image permission is granted, the image is shared with that account. If the copy image permission is revoked, the image is unshared with the account. After an image has been shared, the recipient account can copy the image to other AWS Regions as needed. In the China (Ningxia) Region, you can copy images only within the same Region. In the AWS GovCloud (US-West) Region, to copy images to and from other AWS Regions, contact AWS Support. For more information about sharing images, see Share or Unshare a Custom WorkSpaces Image. To delete an image that has been shared, you must unshare the image before you delete it. Sharing Bring Your Own License (BYOL) images across AWS accounts isn't supported at this time in the AWS GovCloud (US-West) Region. To share BYOL images across accounts in the AWS GovCloud (US-West) Region, contact AWS Support