Ensure that Workspace root volumes are encrypted
ID |
workspace_root_volume_encryption_disabled |
Severity |
high |
Vendor |
AWS |
Resource |
WorkSpace |
Tags |
reachable |
Description
Amazon WorkSpaces enables you to provision virtual, cloud-based Microsoft Windows, Amazon Linux, or Ubuntu Linux desktops for your users, known as WorkSpaces. WorkSpaces eliminates the need to procure and deploy hardware or install complex software. You can quickly add or remove users as your needs change. Users can access their virtual desktops from multiple devices or web browsers.
WorkSpaces is integrated with the AWS Key Management Service (AWS KMS). This enables you to encrypt storage volumes of WorkSpaces using AWS KMS Key.
When you launch a WorkSpace, you can encrypt the root volume (for Microsoft Windows, the C drive; for Linux, /) and the user volume (for Windows, the D drive; for Linux, /home). Doing so ensures that the data stored at rest, disk I/O to the volume, and snapshots created from the volumes are all encrypted.
Examples
CloudFormation
{
"Resources": {
"MyWorkspace": { (1)
"Type": "AWS::WorkSpaces::Workspace",
"Properties": {
"UserName": "test",
"BundleId": "wsb-abc123456",
"DirectoryId": "d-abc123456"
}
}
}
}| 1 | Missing RootVolumeEncryptionEnabled means root volumes are NOt being encrypted. |
Resources:
MyWorkspace: (1)
Type: AWS::WorkSpaces::Workspace
Properties:
UserName: test
BundleId: wsb-abc123456
DirectoryId: d-abc123456| 1 | Missing RootVolumeEncryptionEnabled means root volumes are NOt being encrypted. |
Mitigation / Fix
Buildtime
CloudFormation
{
"Resources": {
"MyWorkspace": {
"Type": "AWS::WorkSpaces::Workspace",
"Properties": {
"UserName": "test",
"BundleId": "wsb-abc123456",
"DirectoryId": "d-abc123456",
"RootVolumeEncryptionEnabled": true (1)
}
}
}
}| 1 | RootVolumeEncryptionEnabled set to true means root volumes are being encrypted. |
Resources:
MyWorkspace:
Type: AWS::WorkSpaces::Workspace
Properties:
UserName: test
BundleId: wsb-abc123456
DirectoryId: d-abc123456
RootVolumeEncryptionEnabled: true (1)| 1 | RootVolumeEncryptionEnabled set to true means root volumes are being encrypted. |