01 Sign in to the AWS Management Console.
02 Navigate to Amazon KMS console at https://console.aws.amazon.com/kms/.
03 In the main navigation panel, under Key Management Service (KMS), select Customer managed keys.
04 Choose the Create Key button from the console top menu to initiate the CMK setup process.
05 For Step 1 Configure key, perform the following actions:
- Choose Symmetric from the Key type section. A symmetric key is a single encryption key that can be used for both encrypt and decrypt operations.
- Under Advanced options, for Key material origin, select KMS as the source of the key material within the CMK.
- Under Advanced options, for Regionality, select whether to allow the new key to be replicated into other AWS regions.
- Choose Next to continue.
06 For Step 2 Add labels, type a unique name (alias) for your new master key in the Alias box and provide a short description for the key in Description – optional box. (Optional) Use the Add tag button to create tags in order categorize and identify your CMK. Choose Next to continue the setup process.
07 For Step 3 Define key administrative permissions, choose which IAM users and/or roles can administer your new CMK from the Key administrators section. You may need to add additional permissions for the users or roles to administer the key from the AWS console. For Key deletion, select Allow key administrators to delete this key. Choose Next to continue.
08 For Step 4 Define key usage permissions, within This account section, select which IAM users and/or roles can use the new Customer Master Key for cryptographic operations. (Optional) In the Other AWS accounts section, choose Add another AWS account and enter an external AWS account ID in order to specify the external AWS account that can use the new key to encrypt and decrypt your Amazon WorkSpaces data. The owners of the external AWS accounts must also provide access to this CMK by creating appropriate policies for their IAM users. Choose Next to continue.
09 For Step 5 Review, review the policy available in the Key policy section, then choose Finish to create your new Customer Master Key (CMK). Once the key is successfully created, the Amazon KMS console will display the following confirmation message: "Success. Your customer master key was created with alias <key-alias> and key ID <key-id>".
10 Navigate to Amazon WorkSpaces console at https://console.aws.amazon.com/workspaces/.
11 In the main navigation panel, under WorkSpaces, choose WorkSpaces.
12 Select the Amazon WorkSpaces instance that you want to re-create, choose Actions, and select Create Image.
13 In the Create WorkSpaces Image dialog box, choose Next, and provide a unique name and a description for the new image in the Image Name and Description fields. Once all the information is provided, choose Create Image to initiate the image build process. After the process is completed, you can create a custom WorkSpaces bundle from the new image and launch a new, encrypted WorkSpaces instance from that custom bundle.
14 In the main navigation panel, under WorkSpaces, choose Images.
15 Select the new WorkSpaces image, choose Actions, and select Create bundle. By creating a bundle from your custom WorkSpaces image, you can ensure that the workspace for your users has everything they need.
16 In the Create WorkSpaces Bundle dialog box, provide a unique name and a description for your new bundle, select the appropriate hardware type (must match the hardware configuration used for the source instance), then choose Create Bundle to crea
te your custom bundle.
17 In the main navigation panel, under WorkSpaces, choose Bundles.
18 Select the WorkSpaces bundle created at step no. 15 and choose Launch Workspaces to initiate the instance launch process.
19 On the Launch WorkSpaces setup page, perform the following actions:
- For Step 1: Select Directory, select the directory in which you want to launch your new WorkSpaces instance. Choose Next Step to continue the setup process.
- For Step 2: Identify Users, select the necessary users from the directory specified at the previous step and choose Add Selected to add them to the new WorkSpaces instance. Choose Next Step to continue.
- For Step 3: Select Bundles, under Assign WorkSpace Bundles, select the custom bundle created at step no. 15 from the Bundle dropdown list, then choose Next Step to continue the setup process.
- For Step 4: WorkSpaces Configuration, provide the following information:
- Choose the appropriate Running Mode for your new WorkSpaces instance (must match the running mode used by the source instance) and add any necessary tags for better resource management.
- Under Encryption, select Root Volume Encryption and User Volume Encryption checkboxes to enable encryption at rest for both root and user storage volumes. Choose the Customer Master Key (CMK) that you want to use for WorkSpaces data encryption. You can use the default master key (AWS-managed key) created for Amazon WorkSpaces (i.e. alias/aws/workspaces) or your own customer-managed Customer Master Key (CMK) created earlier in the Remediation process. Choose Next Step to continue the process.
- For Step 5: Review, review the resource configuration details, then choose Launch WorkSpaces to create your new, encrypted Amazon WorkSpaces instance.
20 Repeat steps no. 12 – 19 to enable encryption at rest for other Amazon WorkSpaces instance available within the current AWS region.
21 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other AWS regions.