Automating Clean and Cost-Efficient AWS WorkSpaces Environments

As more enterprises move away from traditional Virtual Desktop Infrastructure (VDI) offerings and take greater advantage of cloud-based solutions such as AWS WorkSpaces, keeping costs in mind can become difficult and a burden to manage at scale. An automated WorkSpaces Terminator can provide cost savings and keep WorkSpaces environments clean.

Improper WorkSpaces Management Can Cost Big

Although provisioning and decommissioning desktops can be done easily with a few clicks, it’s not a reliable way to manage costs. This manual approach can also lead to numerous WorkSpaces running that have not been used for long periods of time, or have never been logged into.

Although more flexible and cost-effective than traditional VDI solutions, WorkSpaces can become a runaway cost if not managed properly. Having them set to AlwaysOn can be a high recurring cost of $80+ for each resource every month. And even with the auto-shutoff feature engaged, base costs can add up very quickly if there are hundreds or thousands of unused resources in your AWS environment.

How WorkSpaces Terminator Works

At a high level, an AWS Lambda function terminates WorkSpaces which have not been logged into for a configured number of days. In terms of more granular features and capabilities, there is a lot going on!

Unused WorkSpaces Terminator’s reference architecture, showing the trigger and result of the Lambda function

This function would ideally get invoked every day and gather a list of all the WorkSpaces resources running in your region. From there, it uses the LastKnownUserConnection object to create a dictionary of the instanceID and the date of last known usage.

Next, each instance is compared against three-day ranges set during deployment. The first and second days are used as a “warning” to state that an instance has not been logged into for x number of days. The last day is used as the termination date—after x number of days, the instance is automatically terminated by the function. When dates are compared, the Lambda function also grabs the username of the resource.

If WorkSpaces are out of compliance or terminated, an SNS message is triggered in JSON payload format, containing information such as account number, user, region, resourceId, and date. The date is the number of days the instance has not been logged into. The idea behind creating a JSON payload with important information is to give flexibility to the end-user on how the data should be consumed.

JSON payload for AWS WorkSpaces Terminator

Operationalizing WorkSpaces Terminator

A quick way to stay informed is to have an admin subscribe to the topic. This allows them to see all of the resources that are out of compliance.

Another solution is to have a separate internal Lambda subscribe to the SNS topic, where it will dice the payload and then post information to IM (either directly to the user or another admin).

Additionally, you can rest easy knowing that if WorkSpaces have never been logged into, termination will not be performed, but rather noted in the log details. It is always best practice to take a conservative approach when terminating resources, thus minimizing the risks of deleting something that was not meant to be removed.

Clean WorkSpaces Lead to Cost Savings

The cost of running this script is negligible compared to the upside of savings it brings. When testing on an environment with 300 WorkSpaces and 100+ unused resources, the script ran for under 8 seconds, with about 70 megabytes used. This puts it well into the free tier for cost of operating for most clients. With a cleaner WorkSpaces environment, this would run even faster, reducing the cost to operate further.

To learn more about optimizing your AWS cloud with security and cost in mind, download our Launch Your AWS Cloud to New Heights guide.