Profile Applicability:
Level 1
Description:
Amazon WorkSpaces is a fully managed, secure desktop-as-a-service (DaaS) solution that allows you to provision and manage virtual desktops in the AWS cloud. Storage volumes in Amazon WorkSpaces contain the data associated with a user’s desktop environment. It is critical to ensure that storage volumes for Amazon WorkSpaces are encrypted to protect sensitive data at rest and meet compliance requirements.
Encryption ensures that the data stored in Amazon WorkSpaces is unreadable to unauthorized users or attackers. By enabling encryption for storage volumes, you secure both the operating system disk and user data disks, preventing potential data exposure and ensuring compliance with security standards and regulatory requirements.
Rationale:
Encrypting Amazon WorkSpaces storage volumes is essential for:
Data Protection: Protects sensitive data stored in the WorkSpace environment from unauthorized access and potential b reaches.
Compliance: Meets regulatory requirements such as PCI-DSS, HIPAA, and SOC 2, which often mandate encryption of data at rest.
Confidentiality: Prevents leakage of sensitive information in case of a security incident.
Security Best Practices: Aligns with AWS security best practices by leveraging built-in AWS encryption for protecting storage volumes.
Impact:
Pros:
Improved Data Security: Ensures that sensitive data stored in WorkSpaces is protected from unauthorized access.
Compliance Assurance: Helps meet compliance requirements for data protection in environments like healthcare, finance, and government.
No Additional Cost for Encryption: Amazon WorkSpaces encryption is enabled by default and does not incur additional charges for using the AWS Key Management Service (KMS) to manage encryption keys.
Cons:
Performance Overhead: Encrypted volumes may experience slight performance degradation compared to unencrypted volumes due to the encryption/decryption process.
Complexity: If encryption is not enabled by default, the setup process may require configuring and ensuring that all volumes are properly encrypted
Default Value:
By default, Amazon WorkSpaces storage volumes are not encrypted when using certain configurations (e.g., older WorkSpaces or non-default configurations). However, newer WorkSpaces can have encryption enabled during creation.
Pre-requisite:
AWS IAM Permissions:
workspaces:CreateWorkspaces
workspaces:ModifyWorkspaceProperties
workspaces:DescribeWorkspaces
kms:ListAliases
kms:CreateKey
AWS CLI installed and configured.
Ensure that AWS KMS (Key Management Service) is enabled and configured for encryption.
An active Amazon WorkSpaces environment.
Basic understanding of Amazon WorkSpaces configurations and AWS KMS
Remediation:
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to Amazon WorkSpaces under Services.
In the WorkSpaces Dashboard, review the configuration of your existing WorkSpaces.
Check if storage volumes are encrypted:
For new WorkSpaces, confirm that encryption is enabled by default.
For existing WorkSpaces, go to the Directory and select the WorkSpaces that need to be reviewed.
For existing WorkSpaces that are not encrypted, select Modify to enable encryption and apply the settings.
Confirm that AWS KMS is being used to manage the encryption keys.
Using AWS CLI:
To check if Amazon WorkSpaces encryption is enabled for an existing WorkSpace, run:
aws workspaces describe-workspaces --workspace-ids <workspace-id>
Check the "RootVolumeEncryptionEnabled" and "UserVolumeEncryptionEnabled" fields. Both should be true if encryption is enabled.
If encryption is not enabled, to enable encryption on a new WorkSpace, use:
aws workspaces create-workspaces --workspaces directoryId=<directory-id>,userName=<username>,bundleId=<bundle-id>,volumeEncryptionEnabled=true
Implementation Steps:
Using AWS Console:
Sign in to the AWS Management Console and navigate to Amazon WorkSpaces.
In the WorkSpaces Dashboard, click Create WorkSpace.
Ensure that the Storage Encryption option is enabled when configuring the WorkSpace during creation:
Check the Encryption box for both Root volume and User volume.
Ensure that the AWS KMS key is selected for managing encryption.
For existing WorkSpaces, navigate to the WorkSpaces Dashboard, select the WorkSpace, and click Modify to enable encryption.
Apply the changes and verify that the WorkSpace is using the encrypted volumes.
Using AWS CLI:
To create a new WorkSpace with encryption enabled, run the following command:
aws workspaces create-workspaces --workspaces directoryId=<directory-id> --userName=<username> --bundleId=<bundle-id> --volumeEncryptionEnabled=true
To modify an existing WorkSpace and enable encryption for volumes, run:
aws workspaces modify-workspace-properties --workspace-id <workspace-id> --workspace-properties volumeEncryptionEnabled=true
Confirm the encryption settings for the WorkSpace by describing it:
aws workspaces describe-workspaces --workspace-ids <workspace-id>
Backout Plan:
Console Process
Stop WorkSpaces:
Go to the WorkSpaces console and stop the encrypted WorkSpaces.
Launch Non-Encrypted WorkSpaces:
Create a new WorkSpace without encryption.
Transfer Data:
Copy user data from the encrypted WorkSpaces to the new WorkSpaces.
Delete Encrypted WorkSpaces:
Terminate the encrypted WorkSpaces after verifying the data transfer.
CLI Process
Stop WorkSpaces
aws workspaces stop-workspaces --workspace-ids <workspace-id>
Launch Non-Encrypted WorkSpaces:
aws workspaces create-workspaces --workspaces <workspace-config-json>
Transfer Data:
Move user data from encrypted to non-encrypted WorkSpaces.
Terminate Encrypted WorkSpaces:
aws workspaces terminate-workspaces --workspace-ids <workspace-id>
Note :
Automated Monitoring: Set up CloudWatch metrics and SNS notifications to alert you when a WorkSpace is created without encryption, helping to ensure that all new resources comply with security requirements.
Testing Compatibility: Ensure that the applications running on Amazon WorkSpaces are compatible with encrypted volumes to prevent any application-related performance degradation.
