Description:

This policy ensures that Amazon WorkSpaces storage volumes are encrypted. Encryption of WorkSpaces storage volumes helps to protect data at rest from unauthorized access.

Rationale:

Data at rest on Amazon WorkSpaces storage volumes is not encrypted by default. If an attacker gains access to an unencrypted WorkSpaces storage volume, they could potentially access the data stored on the volume.

Impact:

If an attacker gains access to an unencrypted WorkSpaces storage volume, they could potentially access the data stored on the volume. This could include sensitive data such as customerPII, financial data, or intellectual property.

Default Value:

AWS recommends that Amazon WorkSpaces storage volumes be encrypted.

Prerequisites:

  • Access to the AWS Management Console or the AWS CLI.
  • The ability to create and manage AWS KMS keys.

Remediation Steps:

  • If Amazon WorkSpaces storage volumes are not currently encrypted, encrypt them using an AWS KMS key.
  • If Amazon WorkSpaces storage volumes are already encrypted, verify that the encryption is using a valid AWS KMS key.

Test Plan:

  • Use the AWS Management Console or the AWS CLI to verify that Amazon WorkSpaces storage volumes are encrypted.

Implementation Plan:

  • Create a process for encrypting Amazon WorkSpaces storage volumes.
  • Create a process for verifying that Amazon WorkSpaces storage volumes are encrypted.

AWS CLI Process:

aws workspaces describe-workspaces aws workspaces create-workspace --encrypted true --volume-encryption-key-id <kms-key-id>

Using AWS GUI:

  1. Go to the AWS Management Console.
  2. Click on the "WorkSpaces" tab.
  3. Select the WorkSpace that you want to encrypt.
  4. Click on the "Settings" tab.
  5. Select the "Encryption" checkbox.
  6. Select the AWS KMS key that you want to use for encryption.

Backout Plan:

  • If Amazon WorkSpaces storage volumes are encrypted in error, you can decrypt them using the AWS KMS console or the AWS CLI.

Note:

  • This policy should be implemented in conjunction with other policies that ensure the security of Amazon WorkSpaces.
  • For more information, see the Amazon WorkSpaces documentation: https://docs.aws.amazon.com/workspaces/latest/adminguide/encrypt-workspaces.html.

Reference:

  • Amazon WorkSpaces documentation: https://docs.aws.amazon.com/workspaces/latest/adminguide/encrypt-workspaces.html

Tags and Keywords:

  • amazon workspaces
  • storage volumes
  • encryption
  • security
  • compliance