Ensure that Workspace user volumes are encrypted
ID |
workspace_user_volume_encryption_disabled |
Severity |
high |
Vendor |
AWS |
Resource |
WorkSpace |
Tags |
reachable |
Description
When you launch a WorkSpace, you can encrypt the root volume (for Microsoft Windows, the C drive; for Linux, /) and the user volume (for Windows, the D drive; for Linux, /home). Doing so ensures that the data stored at rest, disk I/O to the volume, and snapshots created from the volumes are all encrypted.
Examples
CloudFormation
{
"Resources": {
"MyWorkspace": { (1)
"Type": "AWS::WorkSpaces::Workspace",
"Properties": {
"UserName": "test",
"BundleId": "wsb-abc123456",
"DirectoryId": "d-abc123456"
}
}
}
}| 1 | Missing UserVolumeEncryptionEnabled means user volumes are NOt being encrypted. |
Resources:
MyWorkspace: (1)
Type: AWS::WorkSpaces::Workspace
Properties:
UserName: test
BundleId: wsb-abc123456
DirectoryId: d-abc123456| 1 | Missing UserVolumeEncryptionEnabled means user volumes are NOt being encrypted. |
Mitigation / Fix
Buildtime
CloudFormation
{
"Resources": {
"MyWorkspace": {
"Type": "AWS::WorkSpaces::Workspace",
"Properties": {
"UserName": "test",
"BundleId": "wsb-abc123456",
"DirectoryId": "d-abc123456",
"UserVolumeEncryptionEnabled": true (1)
}
}
}
}| 1 | UserVolumeEncryptionEnabled set to true means user volumes are being encrypted. |
Resources:
MyWorkspace:
Type: AWS::WorkSpaces::Workspace
Properties:
UserName: test
BundleId: wsb-abc123456
DirectoryId: d-abc123456
UserVolumeEncryptionEnabled: true (1)| 1 | UserVolumeEncryptionEnabled set to true means user volumes are being encrypted. |