The aws:workspacesweb/userSettings:UserSettings resource, part of the Pulumi AWS provider, defines user settings that control data transfer, toolbar appearance, and session behavior for WorkSpaces Web streaming sessions. This guide focuses on three capabilities: data transfer permissions, toolbar customization, and session timeouts with encryption.
User settings are associated with a WorkSpaces Web portal after creation. The examples are intentionally small. Combine them with your own portal resources and security policies.
Control data transfer between sessions and local devices
WorkSpaces Web deployments start by defining which operations users can perform between their streaming session and local device.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.workspacesweb.UserSettings("example", {
copyAllowed: "Enabled",
downloadAllowed: "Enabled",
pasteAllowed: "Enabled",
printAllowed: "Enabled",
uploadAllowed: "Enabled",
});
import pulumi
import pulumi_aws as aws
example = aws.workspacesweb.UserSettings("example",
copy_allowed="Enabled",
download_allowed="Enabled",
paste_allowed="Enabled",
print_allowed="Enabled",
upload_allowed="Enabled")
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/workspacesweb"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := workspacesweb.NewUserSettings(ctx, "example", &workspacesweb.UserSettingsArgs{
CopyAllowed: pulumi.String("Enabled"),
DownloadAllowed: pulumi.String("Enabled"),
PasteAllowed: pulumi.String("Enabled"),
PrintAllowed: pulumi.String("Enabled"),
UploadAllowed: pulumi.String("Enabled"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.WorkSpacesWeb.UserSettings("example", new()
{
CopyAllowed = "Enabled",
DownloadAllowed = "Enabled",
PasteAllowed = "Enabled",
PrintAllowed = "Enabled",
UploadAllowed = "Enabled",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.workspacesweb.UserSettings;
import com.pulumi.aws.workspacesweb.UserSettingsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new UserSettings("example", UserSettingsArgs.builder()
.copyAllowed("Enabled")
.downloadAllowed("Enabled")
.pasteAllowed("Enabled")
.printAllowed("Enabled")
.uploadAllowed("Enabled")
.build());
}
}
resources:
example:
type: aws:workspacesweb:UserSettings
properties:
copyAllowed: Enabled
downloadAllowed: Enabled
pasteAllowed: Enabled
printAllowed: Enabled
uploadAllowed: Enabled
Each property controls a specific data transfer operation. Set each to “Enabled” or “Disabled” based on your security requirements. These settings apply to all sessions that use this configuration. Without additional configuration, sessions use default timeout behavior and no toolbar customization.
Customize the streaming session toolbar
The toolbar provides users with controls during their session. Organizations customize its appearance and available features to match security policies.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.workspacesweb.UserSettings("example", {
copyAllowed: "Enabled",
downloadAllowed: "Enabled",
pasteAllowed: "Enabled",
printAllowed: "Enabled",
uploadAllowed: "Enabled",
toolbarConfiguration: {
toolbarType: "Docked",
visualMode: "Dark",
hiddenToolbarItems: [
"Webcam",
"Microphone",
],
},
});
import pulumi
import pulumi_aws as aws
example = aws.workspacesweb.UserSettings("example",
copy_allowed="Enabled",
download_allowed="Enabled",
paste_allowed="Enabled",
print_allowed="Enabled",
upload_allowed="Enabled",
toolbar_configuration={
"toolbar_type": "Docked",
"visual_mode": "Dark",
"hidden_toolbar_items": [
"Webcam",
"Microphone",
],
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/workspacesweb"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := workspacesweb.NewUserSettings(ctx, "example", &workspacesweb.UserSettingsArgs{
CopyAllowed: pulumi.String("Enabled"),
DownloadAllowed: pulumi.String("Enabled"),
PasteAllowed: pulumi.String("Enabled"),
PrintAllowed: pulumi.String("Enabled"),
UploadAllowed: pulumi.String("Enabled"),
ToolbarConfiguration: &workspacesweb.UserSettingsToolbarConfigurationArgs{
ToolbarType: pulumi.String("Docked"),
VisualMode: pulumi.String("Dark"),
HiddenToolbarItems: pulumi.StringArray{
pulumi.String("Webcam"),
pulumi.String("Microphone"),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.WorkSpacesWeb.UserSettings("example", new()
{
CopyAllowed = "Enabled",
DownloadAllowed = "Enabled",
PasteAllowed = "Enabled",
PrintAllowed = "Enabled",
UploadAllowed = "Enabled",
ToolbarConfiguration = new Aws.WorkSpacesWeb.Inputs.UserSettingsToolbarConfigurationArgs
{
ToolbarType = "Docked",
VisualMode = "Dark",
HiddenToolbarItems = new[]
{
"Webcam",
"Microphone",
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.workspacesweb.UserSettings;
import com.pulumi.aws.workspacesweb.UserSettingsArgs;
import com.pulumi.aws.workspacesweb.inputs.UserSettingsToolbarConfigurationArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new UserSettings("example", UserSettingsArgs.builder()
.copyAllowed("Enabled")
.downloadAllowed("Enabled")
.pasteAllowed("Enabled")
.printAllowed("Enabled")
.uploadAllowed("Enabled")
.toolbarConfiguration(UserSettingsToolbarConfigurationArgs.builder()
.toolbarType("Docked")
.visualMode("Dark")
.hiddenToolbarItems(
"Webcam",
"Microphone")
.build())
.build());
}
}
resources:
example:
type: aws:workspacesweb:UserSettings
properties:
copyAllowed: Enabled
downloadAllowed: Enabled
pasteAllowed: Enabled
printAllowed: Enabled
uploadAllowed: Enabled
toolbarConfiguration:
toolbarType: Docked
visualMode: Dark
hiddenToolbarItems:
- Webcam
- Microphone
The toolbarConfiguration property controls toolbar behavior. The toolbarType determines whether the toolbar is docked or floating. The visualMode sets light or dark appearance. The hiddenToolbarItems array removes specific features like webcam or microphone access from the toolbar.
Add encryption, timeouts, and cookie synchronization
Production deployments add session timeout controls, customer-managed encryption, and cookie synchronization rules.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.kms.Key("example", {
description: "KMS key for WorkSpaces Web User Settings",
deletionWindowInDays: 7,
});
const exampleUserSettings = new aws.workspacesweb.UserSettings("example", {
copyAllowed: "Enabled",
downloadAllowed: "Enabled",
pasteAllowed: "Enabled",
printAllowed: "Enabled",
uploadAllowed: "Enabled",
deepLinkAllowed: "Enabled",
disconnectTimeoutInMinutes: 30,
idleDisconnectTimeoutInMinutes: 15,
customerManagedKey: example.arn,
additionalEncryptionContext: {
Environment: "Production",
},
toolbarConfiguration: {
toolbarType: "Docked",
visualMode: "Dark",
hiddenToolbarItems: [
"Webcam",
"Microphone",
],
maxDisplayResolution: "size1920X1080",
},
cookieSynchronizationConfiguration: {
allowlists: [{
domain: "example.com",
path: "/path",
}],
blocklists: [{
domain: "blocked.com",
}],
},
tags: {
Name: "example-user-settings",
},
});
import pulumi
import pulumi_aws as aws
example = aws.kms.Key("example",
description="KMS key for WorkSpaces Web User Settings",
deletion_window_in_days=7)
example_user_settings = aws.workspacesweb.UserSettings("example",
copy_allowed="Enabled",
download_allowed="Enabled",
paste_allowed="Enabled",
print_allowed="Enabled",
upload_allowed="Enabled",
deep_link_allowed="Enabled",
disconnect_timeout_in_minutes=30,
idle_disconnect_timeout_in_minutes=15,
customer_managed_key=example.arn,
additional_encryption_context={
"Environment": "Production",
},
toolbar_configuration={
"toolbar_type": "Docked",
"visual_mode": "Dark",
"hidden_toolbar_items": [
"Webcam",
"Microphone",
],
"max_display_resolution": "size1920X1080",
},
cookie_synchronization_configuration={
"allowlists": [{
"domain": "example.com",
"path": "/path",
}],
"blocklists": [{
"domain": "blocked.com",
}],
},
tags={
"Name": "example-user-settings",
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/kms"
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/workspacesweb"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
example, err := kms.NewKey(ctx, "example", &kms.KeyArgs{
Description: pulumi.String("KMS key for WorkSpaces Web User Settings"),
DeletionWindowInDays: pulumi.Int(7),
})
if err != nil {
return err
}
_, err = workspacesweb.NewUserSettings(ctx, "example", &workspacesweb.UserSettingsArgs{
CopyAllowed: pulumi.String("Enabled"),
DownloadAllowed: pulumi.String("Enabled"),
PasteAllowed: pulumi.String("Enabled"),
PrintAllowed: pulumi.String("Enabled"),
UploadAllowed: pulumi.String("Enabled"),
DeepLinkAllowed: pulumi.String("Enabled"),
DisconnectTimeoutInMinutes: pulumi.Int(30),
IdleDisconnectTimeoutInMinutes: pulumi.Int(15),
CustomerManagedKey: example.Arn,
AdditionalEncryptionContext: pulumi.StringMap{
"Environment": pulumi.String("Production"),
},
ToolbarConfiguration: &workspacesweb.UserSettingsToolbarConfigurationArgs{
ToolbarType: pulumi.String("Docked"),
VisualMode: pulumi.String("Dark"),
HiddenToolbarItems: pulumi.StringArray{
pulumi.String("Webcam"),
pulumi.String("Microphone"),
},
MaxDisplayResolution: pulumi.String("size1920X1080"),
},
CookieSynchronizationConfiguration: &workspacesweb.UserSettingsCookieSynchronizationConfigurationArgs{
Allowlists: workspacesweb.UserSettingsCookieSynchronizationConfigurationAllowlistArray{
&workspacesweb.UserSettingsCookieSynchronizationConfigurationAllowlistArgs{
Domain: pulumi.String("example.com"),
Path: pulumi.String("/path"),
},
},
Blocklists: workspacesweb.UserSettingsCookieSynchronizationConfigurationBlocklistArray{
&workspacesweb.UserSettingsCookieSynchronizationConfigurationBlocklistArgs{
Domain: pulumi.String("blocked.com"),
},
},
},
Tags: pulumi.StringMap{
"Name": pulumi.String("example-user-settings"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Kms.Key("example", new()
{
Description = "KMS key for WorkSpaces Web User Settings",
DeletionWindowInDays = 7,
});
var exampleUserSettings = new Aws.WorkSpacesWeb.UserSettings("example", new()
{
CopyAllowed = "Enabled",
DownloadAllowed = "Enabled",
PasteAllowed = "Enabled",
PrintAllowed = "Enabled",
UploadAllowed = "Enabled",
DeepLinkAllowed = "Enabled",
DisconnectTimeoutInMinutes = 30,
IdleDisconnectTimeoutInMinutes = 15,
CustomerManagedKey = example.Arn,
AdditionalEncryptionContext =
{
{ "Environment", "Production" },
},
ToolbarConfiguration = new Aws.WorkSpacesWeb.Inputs.UserSettingsToolbarConfigurationArgs
{
ToolbarType = "Docked",
VisualMode = "Dark",
HiddenToolbarItems = new[]
{
"Webcam",
"Microphone",
},
MaxDisplayResolution = "size1920X1080",
},
CookieSynchronizationConfiguration = new Aws.WorkSpacesWeb.Inputs.UserSettingsCookieSynchronizationConfigurationArgs
{
Allowlists = new[]
{
new Aws.WorkSpacesWeb.Inputs.UserSettingsCookieSynchronizationConfigurationAllowlistArgs
{
Domain = "example.com",
Path = "/path",
},
},
Blocklists = new[]
{
new Aws.WorkSpacesWeb.Inputs.UserSettingsCookieSynchronizationConfigurationBlocklistArgs
{
Domain = "blocked.com",
},
},
},
Tags =
{
{ "Name", "example-user-settings" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.kms.Key;
import com.pulumi.aws.kms.KeyArgs;
import com.pulumi.aws.workspacesweb.UserSettings;
import com.pulumi.aws.workspacesweb.UserSettingsArgs;
import com.pulumi.aws.workspacesweb.inputs.UserSettingsToolbarConfigurationArgs;
import com.pulumi.aws.workspacesweb.inputs.UserSettingsCookieSynchronizationConfigurationArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Key("example", KeyArgs.builder()
.description("KMS key for WorkSpaces Web User Settings")
.deletionWindowInDays(7)
.build());
var exampleUserSettings = new UserSettings("exampleUserSettings", UserSettingsArgs.builder()
.copyAllowed("Enabled")
.downloadAllowed("Enabled")
.pasteAllowed("Enabled")
.printAllowed("Enabled")
.uploadAllowed("Enabled")
.deepLinkAllowed("Enabled")
.disconnectTimeoutInMinutes(30)
.idleDisconnectTimeoutInMinutes(15)
.customerManagedKey(example.arn())
.additionalEncryptionContext(Map.of("Environment", "Production"))
.toolbarConfiguration(UserSettingsToolbarConfigurationArgs.builder()
.toolbarType("Docked")
.visualMode("Dark")
.hiddenToolbarItems(
"Webcam",
"Microphone")
.maxDisplayResolution("size1920X1080")
.build())
.cookieSynchronizationConfiguration(UserSettingsCookieSynchronizationConfigurationArgs.builder()
.allowlists(UserSettingsCookieSynchronizationConfigurationAllowlistArgs.builder()
.domain("example.com")
.path("/path")
.build())
.blocklists(UserSettingsCookieSynchronizationConfigurationBlocklistArgs.builder()
.domain("blocked.com")
.build())
.build())
.tags(Map.of("Name", "example-user-settings"))
.build());
}
}
resources:
example:
type: aws:kms:Key
properties:
description: KMS key for WorkSpaces Web User Settings
deletionWindowInDays: 7
exampleUserSettings:
type: aws:workspacesweb:UserSettings
name: example
properties:
copyAllowed: Enabled
downloadAllowed: Enabled
pasteAllowed: Enabled
printAllowed: Enabled
uploadAllowed: Enabled
deepLinkAllowed: Enabled
disconnectTimeoutInMinutes: 30
idleDisconnectTimeoutInMinutes: 15
customerManagedKey: ${example.arn}
additionalEncryptionContext:
Environment: Production
toolbarConfiguration:
toolbarType: Docked
visualMode: Dark
hiddenToolbarItems:
- Webcam
- Microphone
maxDisplayResolution: size1920X1080
cookieSynchronizationConfiguration:
allowlists:
- domain: example.com
path: /path
blocklists:
- domain: blocked.com
tags:
Name: example-user-settings
The disconnectTimeoutInMinutes property keeps sessions active after users disconnect, allowing reconnection without losing state. The idleDisconnectTimeoutInMinutes property terminates inactive sessions to reduce costs. The customerManagedKey property encrypts user settings data with your own KMS key. The cookieSynchronizationConfiguration property defines which cookies sync between local and remote browsers using allowlists and blocklists with domain and path patterns.
Beyond these examples
These snippets focus on specific user settings features: data transfer controls, toolbar customization, and session timeouts and encryption. They’re intentionally minimal rather than full WorkSpaces Web deployments.
The examples assume pre-existing infrastructure such as a WorkSpaces Web portal for association. They focus on configuring user settings rather than provisioning the complete portal environment.
To keep things focused, common user settings patterns are omitted, including:
- Portal association (associatedPortalArns is output-only)
- Deep link configuration beyond enable/disable
- Cookie synchronization path patterns and wildcards
- Display resolution limits (maxDisplayResolution in toolbarConfiguration)
These omissions are intentional: the goal is to illustrate how each user settings feature is wired, not provide drop-in portal modules. See the WorkSpaces Web UserSettings resource reference for all available configuration options.
Let's configure AWS WorkSpaces Web User Settings
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Getting Started
What settings are required to create user settings?
You must configure six properties:
copyAllowed, downloadAllowed, pasteAllowed, printAllowed, uploadAllowed, and deepLinkAllowed. Each must be set to either Enabled or Disabled. The region property is also required but defaults to your provider configuration.What values can I use for data transfer permissions?
All data transfer permissions (
copyAllowed, downloadAllowed, pasteAllowed, printAllowed, uploadAllowed, deepLinkAllowed) accept only two values: Enabled or Disabled.Session Management
What's the difference between disconnect timeout and idle timeout?
disconnectTimeoutInMinutes (1-600) keeps the streaming session active after users disconnect. idleDisconnectTimeoutInMinutes (0-60) automatically disconnects users who are idle.What are the valid timeout ranges?
Disconnect timeout accepts 1 to 600 minutes. Idle disconnect timeout accepts 0 to 60 minutes.
Customization
How do I customize the toolbar appearance?
Configure
toolbarConfiguration with toolbarType (e.g., Docked), visualMode (e.g., Dark), hiddenToolbarItems (e.g., ['Webcam', 'Microphone']), and maxDisplayResolution (e.g., size1920X1080).How do I control which cookies are synchronized between browsers?
Use
cookieSynchronizationConfiguration with allowlists (specifying domain and optional path) to sync specific cookies, and blocklists (specifying domain) to block others.Security & Encryption
Can I encrypt user settings with my own KMS key?
Yes, set
customerManagedKey to your KMS key ARN. You can also provide additionalEncryptionContext for extra encryption metadata.How do user settings get associated with a web portal?
After creation, user settings can be associated with web portals. The
associatedPortalArns output property lists all associated portal ARNs.