Detections
Analytics

Ensure user volumes are encrypted for the AWS Workspaces

MEDIUM

Description

Workspaces can be encrypted with the AWS Key Management Service (KMS) keys so that when launched, they secure data stored at rest. Root and User volumes can both be encrypted, and FIPS is supported. For more information, see the AWS Workspaces documentation.
References:
https://docs.aws.amazon.com/workspaces/latest/adminguide/encrypt-workspaces.html

Remediation

In AWS Console -

  1. Sign in to the AWS Console and go to the WorkSpaces console.
  2. Select Launch WorkSpaces and complete the first three steps.
  3. For the WorkSpaces Configuration step, do the following:
    a. Select the volumes to encrypt: Root Volume, User Volume, or both volumes.
    b. For Encryption Key, select an AWS KMS CMK.
  4. Select Next Step.
  5. Select WorkSpaces.

In Terraform -

  1. In the aws_workspaces_workspace resource, set the 'user_volume_encryption_enabled' field to 'true'.

References:
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/workspaces_workspace

Policy Details

Rule Reference ID: AC_AWS_0371
CSP: AWS
Remediation Available: Yes
Domain: Data Protection
Resource: aws_workspaces_workspace
Resource Category: Compute
Resource Type: WorkSpaces

Frameworks