The aws:workspacesweb/userSettings:UserSettings resource, part of the Pulumi AWS provider, defines user settings that control data transfer, toolbar appearance, and session behavior for WorkSpaces Web streaming sessions. This guide focuses on three capabilities: data transfer permissions, toolbar customization, and encryption with session timeouts.
User settings are associated with WorkSpaces Web portals after creation. The examples are intentionally small. Combine them with your own portal resources and organizational policies.
Control data transfer between sessions and local devices
WorkSpaces Web deployments begin by defining which operations users can perform between their streaming session and local device, enforcing security policies around data movement.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.workspacesweb.UserSettings("example", {
copyAllowed: "Enabled",
downloadAllowed: "Enabled",
pasteAllowed: "Enabled",
printAllowed: "Enabled",
uploadAllowed: "Enabled",
});
import pulumi
import pulumi_aws as aws
example = aws.workspacesweb.UserSettings("example",
copy_allowed="Enabled",
download_allowed="Enabled",
paste_allowed="Enabled",
print_allowed="Enabled",
upload_allowed="Enabled")
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/workspacesweb"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := workspacesweb.NewUserSettings(ctx, "example", &workspacesweb.UserSettingsArgs{
CopyAllowed: pulumi.String("Enabled"),
DownloadAllowed: pulumi.String("Enabled"),
PasteAllowed: pulumi.String("Enabled"),
PrintAllowed: pulumi.String("Enabled"),
UploadAllowed: pulumi.String("Enabled"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.WorkSpacesWeb.UserSettings("example", new()
{
CopyAllowed = "Enabled",
DownloadAllowed = "Enabled",
PasteAllowed = "Enabled",
PrintAllowed = "Enabled",
UploadAllowed = "Enabled",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.workspacesweb.UserSettings;
import com.pulumi.aws.workspacesweb.UserSettingsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new UserSettings("example", UserSettingsArgs.builder()
.copyAllowed("Enabled")
.downloadAllowed("Enabled")
.pasteAllowed("Enabled")
.printAllowed("Enabled")
.uploadAllowed("Enabled")
.build());
}
}
resources:
example:
type: aws:workspacesweb:UserSettings
properties:
copyAllowed: Enabled
downloadAllowed: Enabled
pasteAllowed: Enabled
printAllowed: Enabled
uploadAllowed: Enabled
Each property controls a specific data transfer operation. Setting all to “Enabled” creates a permissive environment where users can freely move data. In restricted environments, you might disable downloadAllowed and uploadAllowed while keeping copyAllowed and pasteAllowed enabled for text-only workflows.
Customize the streaming session toolbar
The streaming session toolbar provides controls for webcam, microphone, and other features. Organizations often customize appearance and hide features that aren’t needed.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.workspacesweb.UserSettings("example", {
copyAllowed: "Enabled",
downloadAllowed: "Enabled",
pasteAllowed: "Enabled",
printAllowed: "Enabled",
uploadAllowed: "Enabled",
toolbarConfiguration: {
toolbarType: "Docked",
visualMode: "Dark",
hiddenToolbarItems: [
"Webcam",
"Microphone",
],
},
});
import pulumi
import pulumi_aws as aws
example = aws.workspacesweb.UserSettings("example",
copy_allowed="Enabled",
download_allowed="Enabled",
paste_allowed="Enabled",
print_allowed="Enabled",
upload_allowed="Enabled",
toolbar_configuration={
"toolbar_type": "Docked",
"visual_mode": "Dark",
"hidden_toolbar_items": [
"Webcam",
"Microphone",
],
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/workspacesweb"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := workspacesweb.NewUserSettings(ctx, "example", &workspacesweb.UserSettingsArgs{
CopyAllowed: pulumi.String("Enabled"),
DownloadAllowed: pulumi.String("Enabled"),
PasteAllowed: pulumi.String("Enabled"),
PrintAllowed: pulumi.String("Enabled"),
UploadAllowed: pulumi.String("Enabled"),
ToolbarConfiguration: &workspacesweb.UserSettingsToolbarConfigurationArgs{
ToolbarType: pulumi.String("Docked"),
VisualMode: pulumi.String("Dark"),
HiddenToolbarItems: pulumi.StringArray{
pulumi.String("Webcam"),
pulumi.String("Microphone"),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.WorkSpacesWeb.UserSettings("example", new()
{
CopyAllowed = "Enabled",
DownloadAllowed = "Enabled",
PasteAllowed = "Enabled",
PrintAllowed = "Enabled",
UploadAllowed = "Enabled",
ToolbarConfiguration = new Aws.WorkSpacesWeb.Inputs.UserSettingsToolbarConfigurationArgs
{
ToolbarType = "Docked",
VisualMode = "Dark",
HiddenToolbarItems = new[]
{
"Webcam",
"Microphone",
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.workspacesweb.UserSettings;
import com.pulumi.aws.workspacesweb.UserSettingsArgs;
import com.pulumi.aws.workspacesweb.inputs.UserSettingsToolbarConfigurationArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new UserSettings("example", UserSettingsArgs.builder()
.copyAllowed("Enabled")
.downloadAllowed("Enabled")
.pasteAllowed("Enabled")
.printAllowed("Enabled")
.uploadAllowed("Enabled")
.toolbarConfiguration(UserSettingsToolbarConfigurationArgs.builder()
.toolbarType("Docked")
.visualMode("Dark")
.hiddenToolbarItems(
"Webcam",
"Microphone")
.build())
.build());
}
}
resources:
example:
type: aws:workspacesweb:UserSettings
properties:
copyAllowed: Enabled
downloadAllowed: Enabled
pasteAllowed: Enabled
printAllowed: Enabled
uploadAllowed: Enabled
toolbarConfiguration:
toolbarType: Docked
visualMode: Dark
hiddenToolbarItems:
- Webcam
- Microphone
The toolbarConfiguration property controls toolbar behavior. The toolbarType determines whether the toolbar is docked or floating; visualMode sets light or dark theme. The hiddenToolbarItems array removes specific controls from the user interface, here hiding webcam and microphone access.
Add encryption, timeouts, and cookie synchronization
Production deployments typically add customer-managed encryption, session timeout controls, and cookie synchronization rules.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.kms.Key("example", {
description: "KMS key for WorkSpaces Web User Settings",
deletionWindowInDays: 7,
});
const exampleUserSettings = new aws.workspacesweb.UserSettings("example", {
copyAllowed: "Enabled",
downloadAllowed: "Enabled",
pasteAllowed: "Enabled",
printAllowed: "Enabled",
uploadAllowed: "Enabled",
deepLinkAllowed: "Enabled",
disconnectTimeoutInMinutes: 30,
idleDisconnectTimeoutInMinutes: 15,
customerManagedKey: example.arn,
additionalEncryptionContext: {
Environment: "Production",
},
toolbarConfiguration: {
toolbarType: "Docked",
visualMode: "Dark",
hiddenToolbarItems: [
"Webcam",
"Microphone",
],
maxDisplayResolution: "size1920X1080",
},
cookieSynchronizationConfiguration: {
allowlists: [{
domain: "example.com",
path: "/path",
}],
blocklists: [{
domain: "blocked.com",
}],
},
tags: {
Name: "example-user-settings",
},
});
import pulumi
import pulumi_aws as aws
example = aws.kms.Key("example",
description="KMS key for WorkSpaces Web User Settings",
deletion_window_in_days=7)
example_user_settings = aws.workspacesweb.UserSettings("example",
copy_allowed="Enabled",
download_allowed="Enabled",
paste_allowed="Enabled",
print_allowed="Enabled",
upload_allowed="Enabled",
deep_link_allowed="Enabled",
disconnect_timeout_in_minutes=30,
idle_disconnect_timeout_in_minutes=15,
customer_managed_key=example.arn,
additional_encryption_context={
"Environment": "Production",
},
toolbar_configuration={
"toolbar_type": "Docked",
"visual_mode": "Dark",
"hidden_toolbar_items": [
"Webcam",
"Microphone",
],
"max_display_resolution": "size1920X1080",
},
cookie_synchronization_configuration={
"allowlists": [{
"domain": "example.com",
"path": "/path",
}],
"blocklists": [{
"domain": "blocked.com",
}],
},
tags={
"Name": "example-user-settings",
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/kms"
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/workspacesweb"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
example, err := kms.NewKey(ctx, "example", &kms.KeyArgs{
Description: pulumi.String("KMS key for WorkSpaces Web User Settings"),
DeletionWindowInDays: pulumi.Int(7),
})
if err != nil {
return err
}
_, err = workspacesweb.NewUserSettings(ctx, "example", &workspacesweb.UserSettingsArgs{
CopyAllowed: pulumi.String("Enabled"),
DownloadAllowed: pulumi.String("Enabled"),
PasteAllowed: pulumi.String("Enabled"),
PrintAllowed: pulumi.String("Enabled"),
UploadAllowed: pulumi.String("Enabled"),
DeepLinkAllowed: pulumi.String("Enabled"),
DisconnectTimeoutInMinutes: pulumi.Int(30),
IdleDisconnectTimeoutInMinutes: pulumi.Int(15),
CustomerManagedKey: example.Arn,
AdditionalEncryptionContext: pulumi.StringMap{
"Environment": pulumi.String("Production"),
},
ToolbarConfiguration: &workspacesweb.UserSettingsToolbarConfigurationArgs{
ToolbarType: pulumi.String("Docked"),
VisualMode: pulumi.String("Dark"),
HiddenToolbarItems: pulumi.StringArray{
pulumi.String("Webcam"),
pulumi.String("Microphone"),
},
MaxDisplayResolution: pulumi.String("size1920X1080"),
},
CookieSynchronizationConfiguration: &workspacesweb.UserSettingsCookieSynchronizationConfigurationArgs{
Allowlists: workspacesweb.UserSettingsCookieSynchronizationConfigurationAllowlistArray{
&workspacesweb.UserSettingsCookieSynchronizationConfigurationAllowlistArgs{
Domain: pulumi.String("example.com"),
Path: pulumi.String("/path"),
},
},
Blocklists: workspacesweb.UserSettingsCookieSynchronizationConfigurationBlocklistArray{
&workspacesweb.UserSettingsCookieSynchronizationConfigurationBlocklistArgs{
Domain: pulumi.String("blocked.com"),
},
},
},
Tags: pulumi.StringMap{
"Name": pulumi.String("example-user-settings"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Kms.Key("example", new()
{
Description = "KMS key for WorkSpaces Web User Settings",
DeletionWindowInDays = 7,
});
var exampleUserSettings = new Aws.WorkSpacesWeb.UserSettings("example", new()
{
CopyAllowed = "Enabled",
DownloadAllowed = "Enabled",
PasteAllowed = "Enabled",
PrintAllowed = "Enabled",
UploadAllowed = "Enabled",
DeepLinkAllowed = "Enabled",
DisconnectTimeoutInMinutes = 30,
IdleDisconnectTimeoutInMinutes = 15,
CustomerManagedKey = example.Arn,
AdditionalEncryptionContext =
{
{ "Environment", "Production" },
},
ToolbarConfiguration = new Aws.WorkSpacesWeb.Inputs.UserSettingsToolbarConfigurationArgs
{
ToolbarType = "Docked",
VisualMode = "Dark",
HiddenToolbarItems = new[]
{
"Webcam",
"Microphone",
},
MaxDisplayResolution = "size1920X1080",
},
CookieSynchronizationConfiguration = new Aws.WorkSpacesWeb.Inputs.UserSettingsCookieSynchronizationConfigurationArgs
{
Allowlists = new[]
{
new Aws.WorkSpacesWeb.Inputs.UserSettingsCookieSynchronizationConfigurationAllowlistArgs
{
Domain = "example.com",
Path = "/path",
},
},
Blocklists = new[]
{
new Aws.WorkSpacesWeb.Inputs.UserSettingsCookieSynchronizationConfigurationBlocklistArgs
{
Domain = "blocked.com",
},
},
},
Tags =
{
{ "Name", "example-user-settings" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.kms.Key;
import com.pulumi.aws.kms.KeyArgs;
import com.pulumi.aws.workspacesweb.UserSettings;
import com.pulumi.aws.workspacesweb.UserSettingsArgs;
import com.pulumi.aws.workspacesweb.inputs.UserSettingsToolbarConfigurationArgs;
import com.pulumi.aws.workspacesweb.inputs.UserSettingsCookieSynchronizationConfigurationArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Key("example", KeyArgs.builder()
.description("KMS key for WorkSpaces Web User Settings")
.deletionWindowInDays(7)
.build());
var exampleUserSettings = new UserSettings("exampleUserSettings", UserSettingsArgs.builder()
.copyAllowed("Enabled")
.downloadAllowed("Enabled")
.pasteAllowed("Enabled")
.printAllowed("Enabled")
.uploadAllowed("Enabled")
.deepLinkAllowed("Enabled")
.disconnectTimeoutInMinutes(30)
.idleDisconnectTimeoutInMinutes(15)
.customerManagedKey(example.arn())
.additionalEncryptionContext(Map.of("Environment", "Production"))
.toolbarConfiguration(UserSettingsToolbarConfigurationArgs.builder()
.toolbarType("Docked")
.visualMode("Dark")
.hiddenToolbarItems(
"Webcam",
"Microphone")
.maxDisplayResolution("size1920X1080")
.build())
.cookieSynchronizationConfiguration(UserSettingsCookieSynchronizationConfigurationArgs.builder()
.allowlists(UserSettingsCookieSynchronizationConfigurationAllowlistArgs.builder()
.domain("example.com")
.path("/path")
.build())
.blocklists(UserSettingsCookieSynchronizationConfigurationBlocklistArgs.builder()
.domain("blocked.com")
.build())
.build())
.tags(Map.of("Name", "example-user-settings"))
.build());
}
}
resources:
example:
type: aws:kms:Key
properties:
description: KMS key for WorkSpaces Web User Settings
deletionWindowInDays: 7
exampleUserSettings:
type: aws:workspacesweb:UserSettings
name: example
properties:
copyAllowed: Enabled
downloadAllowed: Enabled
pasteAllowed: Enabled
printAllowed: Enabled
uploadAllowed: Enabled
deepLinkAllowed: Enabled
disconnectTimeoutInMinutes: 30
idleDisconnectTimeoutInMinutes: 15
customerManagedKey: ${example.arn}
additionalEncryptionContext:
Environment: Production
toolbarConfiguration:
toolbarType: Docked
visualMode: Dark
hiddenToolbarItems:
- Webcam
- Microphone
maxDisplayResolution: size1920X1080
cookieSynchronizationConfiguration:
allowlists:
- domain: example.com
path: /path
blocklists:
- domain: blocked.com
tags:
Name: example-user-settings
The customerManagedKey property references a KMS key ARN for encrypting user settings data. The disconnectTimeoutInMinutes property keeps sessions active after users disconnect (useful for brief network interruptions), while idleDisconnectTimeoutInMinutes terminates inactive sessions to reduce costs. The cookieSynchronizationConfiguration property defines which cookies sync between local and remote browsers, using allowlists for permitted domains and blocklists for denied ones. The deepLinkAllowed property controls whether URLs can automatically open sessions.
Beyond these examples
These snippets focus on specific user settings features: data transfer controls, toolbar customization, and encryption and session timeouts. They’re intentionally minimal rather than complete WorkSpaces Web deployments.
The examples assume pre-existing infrastructure such as WorkSpaces Web portals (referenced via associatedPortalArns output). They focus on configuring user settings rather than provisioning the surrounding portal infrastructure.
To keep things focused, common user settings patterns are omitted, including:
- Portal association (associatedPortalArns is output-only)
- Deep link configuration beyond enable/disable
- Cookie synchronization path patterns and domain wildcards
- Display resolution limits (maxDisplayResolution in toolbarConfiguration)
These omissions are intentional: the goal is to illustrate how each user settings feature is wired, not provide drop-in WorkSpaces Web modules. See the WorkSpaces Web UserSettings resource reference for all available configuration options.
Let's configure AWS WorkSpaces Web User Settings
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Required Configuration
What permissions must I configure when creating user settings?
You must configure five required permissions:
copyAllowed, downloadAllowed, pasteAllowed, printAllowed, and uploadAllowed. Each accepts either Enabled or Disabled.Do user settings take effect immediately after creation?
No, user settings must be associated with a web portal before they control data transfer between streaming sessions and local devices.
Session Timeouts
What are the timeout limits for WorkSpaces Web sessions?
The
disconnectTimeoutInMinutes ranges from 1 to 600 minutes (how long sessions stay active after disconnect), while idleDisconnectTimeoutInMinutes ranges from 0 to 60 minutes (how long users can be idle).What's the difference between disconnect timeout and idle disconnect timeout?
disconnectTimeoutInMinutes controls how long a session remains active after users disconnect, while idleDisconnectTimeoutInMinutes controls how long users can be inactive before being automatically disconnected.Security & Encryption
How do I encrypt user settings with my own KMS key?
Set
customerManagedKey to your KMS key ARN. You can optionally provide additionalEncryptionContext for extra encryption metadata.Toolbar Customization
How do I customize the toolbar appearance and behavior?
Configure toolbarConfiguration with these options:
- Toolbar type - Set
toolbarTypetoDockedorFloating - Visual mode - Set
visualModetoDarkorLight - Hidden items - Use
hiddenToolbarItemsarray (e.g.,Webcam,Microphone) - Display resolution - Set
maxDisplayResolution(e.g.,size1920X1080)
What toolbar items can I hide from users?
Use the
hiddenToolbarItems array in toolbarConfiguration. The examples show hiding Webcam and Microphone, though other toolbar items may be available.Cookie Management
How do I control which cookies sync between local and remote browsers?
Configure
cookieSynchronizationConfiguration with allowlists (domains/paths to sync) and blocklists (domains to block). Each entry can specify a domain and optional path.What's the purpose of the deepLinkAllowed setting?
deepLinkAllowed controls whether users can use deep links that open automatically when connecting to a session. Set it to Enabled or Disabled.