Logo of Trend Micro

WorkSpaces Storage Encryption

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)
Rule ID: WS-005

Ensure that your Amazon WorkSpaces storage volumes are encrypted in order to meet security and compliance requirements. Your data is transparently encrypted while being written and transparently decrypted while being read from your storage volumes, therefore the encryption process does not require any additional action from you, your WorkSpaces instance or your application. Encryption keys are managed by AWS KMS service, eliminating the need to build and maintain a secure key management infrastructure.

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

When working with production data it is highly recommended to implement encryption in order to protect this data from unauthorized access and fulfill compliance requirements for data-at-rest encryption within your organization.

Audit

To determine your WorkSpaces storage volumes encryption status, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to WorkSpaces dashboard at https://console.aws.amazon.com/workspaces/.

03 In the left navigation panel click WorkSpaces to access the instances listing page.

04 Check the storage volume(s) encryption status for each Amazon WorkSpaces instance available in the current AWS region, listed in Volume Encryption column, e.g.

Volume Encryption

If the value listed in the Volume Encryption column is Disabled, the selected AWS WorkSpaces instance volumes (root and user volumes) are not encrypted, therefore your data-at-rest is not protected from unauthorized access and does not meet the compliance requirements regarding data encryption.

05 Change the AWS region from the navigation bar and repeat step no. 4 for all other regions.

Using AWS CLI

01 Run describe-workspaces command (OSX/Linux/UNIX) using custom query filters to list the IDs of all AWS WorkSpaces instances available within the selected region: 

aws workspaces describe-workspaces
	--region us-east-1
	--output table
	--query 'Workspaces[*].WorkspaceId'

02 The command output should return a table with the requested WorkSpaces IDs: 

--------------------
|DescribeWorkspaces|
+------------------+
|   ws-aaabbbccc   |
|   ws-ccceeefff   |
+------------------+

03 Execute again describe-workspaces command (OSX/Linux/UNIX) using the name of the WorkSpaces instance as identifier and custom query filters to get the encryption status for both root and user storage volumes: 

aws workspaces describe-workspaces
	--region us-east-1
	--workspace-ids ws-aaabbbccc
	--query 'Workspaces[*].[RootVolumeEncryptionEnabled,UserVolumeEncryptionEnabled]'

04 The command output should return the encryption status (flag) for both root and user instance volumes (true for enabled, false for disabled): 

[
    [
        false,
        false
    ]
]

If the returned flag value for both root and user volumes is false (as shown in the output example above), the selected AWS WorkSpaces instance volumes are not encrypted, therefore your existing WorkSpaces data-at-rest is not fully protected against unauthorized access.

05 Repeat step no. 3 and 4 to verify the storage volumes encryption status for other AWS WorkSpaces instances provisioned in the current region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the audit process for other regions.

Remediation / Resolution

To encrypt existing AWS WorkSpaces data you must re-create the necessary WorkSpaces instances with the volumes encryption feature enabled. To relaunch these instances, perform the following:

Note: Relaunching Amazon WorkSpaces instances from custom images and bundles using AWS Command Line Interface (CLI) is not currently supported.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to WorkSpaces dashboard at https://console.aws.amazon.com/workspaces/.

03 In the left navigation panel click WorkSpaces to access the instances listing page.

04 Select the AWS WorkSpaces instance that you want to re-create.

05 Click on the Action dropdown button from the dashboard top menu and select Create Image.

06 Within Create Image dialog box, click Create to initiate the image build process. Once the process is completed, you can create a custom WorkSpaces bundle from the new image and launch a new (encrypted) WorkSpaces instance from this custom bundle.

07 In the left navigation panel click Images to access the images listing page.

08 Select the newly created WorkSpaces image, click on the Action dropdown button from the dashboard top menu and select Create Bundle. By creating a bundle from your custom image, you can ensure that the WorkSpaces for your users have everything that they need (their software stack is already installed).

09 Within Create WorkSpaces Bundle dialog box, provide a name and a description for your new bundle, select the appropriate hardware type (i.e. the same hardware configuration as the source instance), then click Create Bundle.

10 In the left navigation panel click Bundles to access the bundles listing page.

11 Select the WorkSpaces bundle created at step no. 9 then click Launch Workspaces to start the launch process.

12 On the Launch WorkSpaces page, perform the following actions:

  1. From the Directory dropdown list, select the directory in which you want to launch the WorkSpaces instance. Click Next Step to continue the process.
  2. Within Identify Users section, select the necessary users from the directory specified at the previous step and click Add Selected to add them to the new WorkSpace. Click Next Step to continue.
  3. From the Select Bundle list, select the custom WorkSpaces bundle created at step no. 9 then click Next Step.
  4. Inside WorkSpaces Configuration section, choose the right Running Mode for your new WorkSpaces instance and add any necessary tags for better resource management. Within Encryption category, check both Root Volume (C: Drive) Encryption and User Volume (D: Drive) Encryption checkboxes and select the required key from the Encryption Key dropdown list to encrypt all your storage volumes. If there is no custom AWS KMS Customer Master Key (CMK) already created, you can use the default AWS-managed key (i.e. alias/aws/workspaces) as encryption key. Click Next Step to continue the process.
  5. Within Review and Launch WorkSpaces section, review the resource configuration details, then click Launch WorkSpaces to create the new (encrypted) WorkSpaces instance. The initial status of the new instance should be PENDING. When the launch process is complete, the status should change to AVAILABLE and an invitation should be sent to the email address that you specified for the user.

13 Repeat steps no. 4 – 12 to relaunch other unencrypted AWS WorkSpaces instances provisioned in the current region.

14 Change the AWS region from the navigation bar and repeat steps no. 1 – 13 for all other regions.

References

Publication date Nov 1, 2017

Related WorkSpaces rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

WorkSpaces Storage Encryption

Risk level: High