π‘οΈ AWS WorkSpace instance EBS volumes are not encryptedπ’
- Contextual name: π‘οΈ WorkSpace instance EBS volumes are not encryptedπ’
- ID:
/ce/ca/aws/workspaces/workspace-storage-encryption - Tags:
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
SECURITY
Logicβ
- π§ prod.logic.yamlπ’
- π AWS WorkSpace
- π AWS WorkSpace - object.extracts.yaml
- π§ͺ test-data.json
Similar Policiesβ
- AWS Security Hub: [WorkSpaces.1] WorkSpaces user volumes should be encrypted at rest
- AWS Security Hub: [WorkSpaces.2] WorkSpaces root volumes should be encrypted at rest
- Cloud Conformity: WorkSpaces Storage Encryption
Descriptionβ
Descriptionβ
This policy identifies Amazon WorkSpaces where EBS volume encryption is not enabled for the root (OS) volume or the user (Data) volume.
Rationaleβ
Amazon WorkSpaces store user profiles, documents, and application data. Encryption at rest ensures that data remains unreadable if the underlying storage media is compromised or accessed without authorization. This is a critical control for protecting end-user computing environments.
Auditβ
This policy flags an Amazon WorkSpace as
INCOMPLIANTifRoot Volume Encryption EnabledorUser Volume Encryption Enabledis not set to true.WorkSpaces in the AVAILABLE
Stateare marked asINAPPLICABLE.
Remediationβ
Remediationβ
Enable EBS Volume Encryptionβ
Amazon WorkSpaces does not support enabling encryption on existing WorkSpaces. To remediate this finding, recreate the affected WorkSpace with EBS volume encryption enabled.
From Consoleβ
- Open the Amazon WorkSpaces console.
- Choose Create WorkSpaces and complete the first three setup steps.
- On the Customization step:
- Select Encrypt root volume and Encrypt user volume.
- For Encryption Key, select a customer-managed KMS key.
Note: The selected KMS key must be symmetric, because Amazon WorkSpaces does not support asymmetric KMS keys.
- Choose Create WorkSpace to finish the WorkSpaces creation process.
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| πΌ AWS Foundational Security Best Practices v1.0.0 β πΌ [WorkSpaces.1] WorkSpaces user volumes should be encrypted at rest | 1 | no data | |||
| πΌ AWS Foundational Security Best Practices v1.0.0 β πΌ [WorkSpaces.2] WorkSpaces root volumes should be encrypted at rest | 1 | no data | |||
| πΌ Cloudaware Framework β πΌ Data Encryption | 61 | no data |