🛡️ AWS WorkSpace instance EBS volumes are not encrypted🟢

• Contextual name: 🛡️ WorkSpace instance EBS volumes are not encrypted🟢
• ID: /ce/ca/aws/workspaces/workspace-storage-encryption
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 AWS WorkSpace
  • 🔌 AWS WorkSpace - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• AWS Security Hub: [WorkSpaces.1] WorkSpaces user volumes should be encrypted at rest
• AWS Security Hub: [WorkSpaces.2] WorkSpaces root volumes should be encrypted at rest
• Cloud Conformity: WorkSpaces Storage Encryption

Description

Open File

Description

This policy identifies AWS WorkSpaces where EBS volume encryption is not enabled for either the root volume (OS) or the user volume (Data).

Rationale

Amazon WorkSpaces store user profiles, documents, and application data. Enabling encryption at rest ensures that data remains unreadable if the underlying storage media is compromised or accessed without authorization. This is a critical control for protecting end-user computing environments.

Audit

This policy flags an Amazon WorkSpace as INCOMPLIANT if Root Volume Encryption Enabled or User Volume Encryption Enabled is not set to true.

WorkSpaces in the AVAILABLE State are marked as INAPPLICABLE.

Remediation

Open File

Remediation

Enable EBS Volume Encryption

Amazon WorkSpaces does not support enabling encryption on existing WorkSpaces. To remediate this finding, you must recreate the affected WorkSpace with EBS volume encryption enabled.

From Console

1. Open the Amazon WorkSpaces console.

2. Choose Create WorkSpaces and complete the first three setup steps.

3. On the Customization step:

   • Select Encrypt root volume and Encrypt user volume.

   • For Encryption Key, select a customer-managed KMS key that you created

     Note: The selected KMS key must be symmetric, as Amazon WorkSpaces does not support asymmetric KMS keys.

4. Choose Create WOrkSpace to finish the WorkSpaces creation process.

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [WorkSpaces.1] WorkSpaces user volumes should be encrypted at rest			1		no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [WorkSpaces.2] WorkSpaces root volumes should be encrypted at rest			1		no data
💼 Cloudaware Framework → 💼 Data Encryption			70		no data