Windows Workers is an optional feature that processes certain files on Windows OS machines instead of a Linux-based ECS Cluster.
Due to technical reasons, certain types of input files, such as those generated by Masslynx spectrometers, cannot be processed in the ECS cluster. These input files must be processed separately on Windows OS machines. The TDP can create an AWS EC2 autoscaling group (ASG), which contains worker instances that run the latest AWS published version of Windows Server 2019. The Windows Workers feature handles this situation. This feature is optional and can be turned on or off using the stack parameter "EnableWinTaskScriptService". (See the Deployment topic for more details on parameters.)
Windows Workers have several security measures:
- No Access to Users: Windows Workers instances are created without creating user credentials, so it is impossible for anyone to log into them.
- Patch Auto-Updates: The stack contains a lambda function that checks weekly for a newer version of the AWS published image. If a newer version is found, the ASG is refreshed and all instances are replaced with new ones created from this image.
- Network Isolation: Windows workers can be deployed in a separate, isolated network segment that has no communication with the corporate network, the rest of the platform, or the Internet. It can even be in a separate VPC. The workers only need connectivity to a few AWS services, and the access can be achieved using VPC Endpoints. Network isolation, if implemented, makes it virtually impossible for malware to spread from the Internet to these machines, or from them to the corporate network.
The AWS services needed for this feature are:
Windows instances will send basic metrics to Cloudwatch and also the following logs:
- TDP specific logs
- Cloudwatch logs: C:\ProgramData\Amazon\AmazonCloudWatchAgent\Logs*.log
- Windows events: System (CRITICAL, ERROR), Application(WARNING, CRITICAL, ERROR)
Updated 6 months ago