Use the Conformity Knowledge Base AI to help improve your Cloud Posture

WorkSpaces Storage Encryption

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: WS-005

Ensure that your Amazon WorkSpaces instance storage volumes are encrypted in order to protect your data at rest, and meet security and compliance requirements. Your WorkSpaces data is transparently encrypted and decrypted while being written and read from the WorkSpaces storage volumes, therefore the encryption process does not require any additional action from you, your WorkSpaces instance, or your application. Encryption keys are managed by Amazon KMS service, eliminating the need to build and maintain a secure key management infrastructure.

This rule can help you with the following compliance standards:

  • PCI
  • HIPAA
  • GDPR
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

When working with production and business-critical data it is highly recommended to implement encryption in order to protect your WorkSpaces data from unauthorized access and fulfill compliance requirements for data-at-rest encryption within your organization.


Audit

To determine the encryption configuration status for your WorkSpaces storage volumes, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon WorkSpaces console at https://console.aws.amazon.com/workspaces/.

03 In the main navigation panel, under WorkSpaces, choose WorkSpaces.

04 Click on the Hide or Show details button (arrow symbol) available for the WorkSpaces instance that you want to examine, to show the panel with the configuration information available for the selected instance.

05 Check the Encrypted Volumes attribute value available in the right column. If the Encrypted Volumes value is set to None, your Amazon WorkSpaces instance volumes (root and user volumes) are not encrypted, therefore your data is not fully protected from unauthorized access.

06 Repeat steps no. 4 and 5 for each Amazon WorkSpaces instance available within the current AWS region.

07 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-workspaces command (OSX/Linux/UNIX) using custom query filters to list the ID of each Amazon WorkSpaces instance available in the selected AWS region:

aws workspaces describe-workspaces
  --region us-east-1
  --output table
  --query 'Workspaces[*].WorkspaceId'

02 The command output should return a table with the requested WorkSpaces IDs:

--------------------
|DescribeWorkspaces|
+------------------+
|   ws-abcdabcda   |
|   ws-abcd12341   |
|   ws-12341abcd   |
+------------------+

03 Run describe-workspaces command (OSX/Linux/UNIX) using the name of the WorkSpaces instance that you want to examine as the identifier parameter and custom query filters to describe the encryption status available for both root and user storage volumes:

aws workspaces describe-workspaces
  --region us-east-1
  --workspace-ids ws-abcd12341
  --query 'Workspaces[*].[RootVolumeEncryptionEnabled,UserVolumeEncryptionEnabled]'

04 The command output should return the encryption status for both types of instance volumes (true for enabled, false for disabled) or null if the encryption was not configured at instance creation:

[
    [
        false,
        false
    ]
]

If the describe-workspaces command output returns null or false for both root and user volumes, as shown in the output example above, your Amazon WorkSpaces instance volumes are not encrypted at rest, therefore your data is not fully protected from unauthorized access.

05 Repeat steps no. 3 and 4 for each Amazon WorkSpaces instance available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To enable storage volume encryption for existing Amazon WorkSpaces instances, you must re-create your instances with the appropriate encryption configuration. To relaunch your WorkSpaces instances, perform the following operations:

Note: Re-creating Amazon WorkSpaces instances from custom images and bundles using AWS Command Line Interface (AWS CLI) is not currently supported.

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Enable Encryption at Rest for WorkSpaces Instance Volumes",
  "Resources": {
      "WorkSpacesInstance": {
          "Type" : "AWS::WorkSpaces::Workspace",
          "Properties" : {
              "DirectoryId" : "d-1234abcd1a",
              "BundleId" : "wsb-abcd1234a",
              "UserName" : "trendmicro",
              "RootVolumeEncryptionEnabled" : true,
              "UserVolumeEncryptionEnabled" : true,
              "VolumeEncryptionKey" : "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234",
              "WorkspaceProperties" : {
                  "ComputeTypeName" : "VALUE",
                  "RunningMode" : "AUTO_STOP",
                  "RunningModeAutoStopTimeoutInMinutes" : 60,
                  "RootVolumeSizeGib" : 80,
                  "UserVolumeSizeGib" : 10
              }
          }
      }
  }
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
Description: Enable Encryption at Rest for WorkSpaces Instance Volumes
Resources:
  WorkSpacesInstance:
    Type: AWS::WorkSpaces::Workspace
    Properties:
      DirectoryId: d-1234abcd1a
      BundleId: wsb-abcd1234a
      UserName: trendmicro
      RootVolumeEncryptionEnabled: true
      UserVolumeEncryptionEnabled: true
      VolumeEncryptionKey: arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234
      WorkspaceProperties:
        ComputeTypeName: VALUE
        RunningMode: AUTO_STOP
        RunningModeAutoStopTimeoutInMinutes: 60
        RootVolumeSizeGib: 80
        UserVolumeSizeGib: 10

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.0"
    }
  }

  required_version = ">= 0.14.9"
}

provider "aws" {
  region  = "us-east-1"
}

resource "aws_workspaces_workspace" "workspaces-instance" {

  directory_id = "d-1234abcd1a"
  bundle_id    = "wsb-abcd1234a"
  user_name    = "trendmicro"

  # Enable Encryption at Rest for WorkSpaces Instance Volumes
  root_volume_encryption_enabled = true
  user_volume_encryption_enabled = true
  volume_encryption_key          = "alias/aws/workspaces"

  workspace_properties {
    compute_type_name                         = "VALUE"
    root_volume_size_gib                      = 80
    user_volume_size_gib                      = 10
    running_mode                              = "AUTO_STOP"
    running_mode_auto_stop_timeout_in_minutes = 60
  }

}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon KMS console at https://console.aws.amazon.com/kms/.

03 In the main navigation panel, under Key Management Service (KMS), select Customer managed keys.

04 Choose the Create Key button from the console top menu to initiate the CMK setup process.

05 For Step 1 Configure key, perform the following actions:

  1. Choose Symmetric from the Key type section. A symmetric key is a single encryption key that can be used for both encrypt and decrypt operations.
  2. Under Advanced options, for Key material origin, select KMS as the source of the key material within the CMK.
  3. Under Advanced options, for Regionality, select whether to allow the new key to be replicated into other AWS regions.
  4. Choose Next to continue.

06 For Step 2 Add labels, type a unique name (alias) for your new master key in the Alias box and provide a short description for the key in Description – optional box. (Optional) Use the Add tag button to create tags in order categorize and identify your CMK. Choose Next to continue the setup process.

07 For Step 3 Define key administrative permissions, choose which IAM users and/or roles can administer your new CMK from the Key administrators section. You may need to add additional permissions for the users or roles to administer the key from the AWS console. For Key deletion, select Allow key administrators to delete this key. Choose Next to continue.

08 For Step 4 Define key usage permissions, within This account section, select which IAM users and/or roles can use the new Customer Master Key for cryptographic operations. (Optional) In the Other AWS accounts section, choose Add another AWS account and enter an external AWS account ID in order to specify the external AWS account that can use the new key to encrypt and decrypt your Amazon WorkSpaces data. The owners of the external AWS accounts must also provide access to this CMK by creating appropriate policies for their IAM users. Choose Next to continue.

09 For Step 5 Review, review the policy available in the Key policy section, then choose Finish to create your new Customer Master Key (CMK). Once the key is successfully created, the Amazon KMS console will display the following confirmation message: "Success. Your customer master key was created with alias <key-alias> and key ID <key-id>".

10 Navigate to Amazon WorkSpaces console at https://console.aws.amazon.com/workspaces/.

11 In the main navigation panel, under WorkSpaces, choose WorkSpaces.

12 Select the Amazon WorkSpaces instance that you want to re-create, choose Actions, and select Create Image.

13 In the Create WorkSpaces Image dialog box, choose Next, and provide a unique name and a description for the new image in the Image Name and Description fields. Once all the information is provided, choose Create Image to initiate the image build process. After the process is completed, you can create a custom WorkSpaces bundle from the new image and launch a new, encrypted WorkSpaces instance from that custom bundle.

14 In the main navigation panel, under WorkSpaces, choose Images.

15 Select the new WorkSpaces image, choose Actions, and select Create bundle. By creating a bundle from your custom WorkSpaces image, you can ensure that the workspace for your users has everything they need.

16 In the Create WorkSpaces Bundle dialog box, provide a unique name and a description for your new bundle, select the appropriate hardware type (must match the hardware configuration used for the source instance), then choose Create Bundle to create your custom bundle.

17 In the main navigation panel, under WorkSpaces, choose Bundles.

18 Select the WorkSpaces bundle created at step no. 15 and choose Launch Workspaces to initiate the instance launch process.

19 On the Launch WorkSpaces setup page, perform the following actions:

  1. For Step 1: Select Directory, select the directory in which you want to launch your new WorkSpaces instance. Choose Next Step to continue the setup process.
  2. For Step 2: Identify Users, select the necessary users from the directory specified at the previous step and choose Add Selected to add them to the new WorkSpaces instance. Choose Next Step to continue.
  3. For Step 3: Select Bundles, under Assign WorkSpace Bundles, select the custom bundle created at step no. 15 from the Bundle dropdown list, then choose Next Step to continue the setup process.
  4. For Step 4: WorkSpaces Configuration, provide the following information:
    • Choose the appropriate Running Mode for your new WorkSpaces instance (must match the running mode used by the source instance) and add any necessary tags for better resource management.
    • Under Encryption, select Root Volume Encryption and User Volume Encryption checkboxes to enable encryption at rest for both root and user storage volumes. Choose the Customer Master Key (CMK) that you want to use for WorkSpaces data encryption. You can use the default master key (AWS-managed key) created for Amazon WorkSpaces (i.e. alias/aws/workspaces) or your own customer-managed Customer Master Key (CMK) created earlier in the Remediation process. Choose Next Step to continue the process.
  5. For Step 5: Review, review the resource configuration details, then choose Launch WorkSpaces to create your new, encrypted Amazon WorkSpaces instance.

20 Repeat steps no. 12 – 19 to enable encryption at rest for other Amazon WorkSpaces instance available within the current AWS region.

21 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other AWS regions.

References

Publication date Nov 1, 2017