Skip to main content

Ensure Amazon WorkSpaces Storage Volumes Are Encrypted

Overview

This check verifies that your Amazon WorkSpaces have encryption enabled for both root and user storage volumes. WorkSpaces are virtual desktops that store operating system files (root volume) and user data (user volume). Encrypting these volumes protects sensitive information at rest.

Risk

Severity: High

Unencrypted WorkSpaces volumes expose your organization to significant risks:

  • Data exposure: Anyone with access to the underlying storage or snapshots could read files, cached credentials, and user profile data
  • Compliance violations: Many frameworks (ISO 27001, C5, KISA-ISMS-P) require encryption of data at rest
  • Lateral movement risk: Stolen credentials from unencrypted volumes could enable attackers to move through your environment
  • Data tampering: Without encryption, storage-level access could allow modification of system or user files

Remediation Steps

Prerequisites

  • AWS Console access with permissions to manage WorkSpaces
  • An existing AWS Directory Service directory (for new WorkSpaces)

Important: You cannot enable encryption on an existing WorkSpace. You must create a new encrypted WorkSpace and migrate the user.

AWS Console Method

  1. Open the Amazon WorkSpaces console
  2. In the left navigation, click WorkSpaces
  3. Click Launch WorkSpaces
  4. Select your directory and click Next
  5. Select the user(s) who need WorkSpaces and click Next
  6. Choose a bundle and click Next
  7. On the WorkSpaces configuration page:
    • Check Enable next to Root Volume Encryption
    • Check Enable next to User Volume Encryption
    • Optionally select a customer-managed KMS key (or use the default AWS managed key)
  8. Review your settings and click Launch WorkSpaces

After the new encrypted WorkSpace is available, migrate the user's data from their old unencrypted WorkSpace, then terminate the old one.

AWS CLI (optional)

Check current encryption status:

aws workspaces describe-workspaces \
    --region us-east-1 \
    --query 'Workspaces[*].{WorkspaceId:WorkspaceId,UserName:UserName,RootVolumeEncrypted:RootVolumeEncryptionEnabled,UserVolumeEncrypted:UserVolumeEncryptionEnabled}' \
    --output table

Create a new WorkSpace with encryption enabled:

aws workspaces create-workspaces \
    --region us-east-1 \
    --workspaces '[
        {
            "DirectoryId": "<your-directory-id>",
            "UserName": "<username>",
            "BundleId": "<bundle-id>",
            "RootVolumeEncryptionEnabled": true,
            "UserVolumeEncryptionEnabled": true,
            "VolumeEncryptionKey": "arn:aws:kms:us-east-1:<account-id>:key/<key-id>"
        }
    ]'

Notes:

  • Replace <your-directory-id> with your AWS Directory Service directory ID (e.g., d-1234567890)
  • Replace <bundle-id> with your WorkSpaces bundle ID (e.g., wsb-1234567890)
  • The VolumeEncryptionKey parameter is optional; omit it to use the default AWS managed key

List available bundles:

aws workspaces describe-workspace-bundles \
    --region us-east-1 \
    --query 'Bundles[*].{BundleId:BundleId,Name:Name}' \
    --output table
CloudFormation (optional)
AWSTemplateFormatVersion: '2010-09-09'
Description: Amazon WorkSpaces with encrypted volumes

Parameters:
  DirectoryId:
    Type: String
    Description: The ID of the AWS Directory Service directory
  BundleId:
    Type: String
    Description: The ID of the WorkSpaces bundle
  UserName:
    Type: String
    Description: The username for the WorkSpace
  KMSKeyArn:
    Type: String
    Description: The ARN of the KMS key for volume encryption (leave empty for AWS managed key)
    Default: ''

Conditions:
  UseCustomKMSKey: !Not [!Equals [!Ref KMSKeyArn, '']]

Resources:
  EncryptedWorkSpace:
    Type: AWS::WorkSpaces::Workspace
    Properties:
      DirectoryId: !Ref DirectoryId
      BundleId: !Ref BundleId
      UserName: !Ref UserName
      RootVolumeEncryptionEnabled: true
      UserVolumeEncryptionEnabled: true
      VolumeEncryptionKey: !If [UseCustomKMSKey, !Ref KMSKeyArn, !Ref 'AWS::NoValue']
      Tags:
        - Key: Environment
          Value: Production

Outputs:
  WorkSpaceId:
    Description: The ID of the created WorkSpace
    Value: !Ref EncryptedWorkSpace

Deploy the stack:

aws cloudformation create-stack \
    --stack-name encrypted-workspace \
    --template-body file://template.yaml \
    --parameters \
        ParameterKey=DirectoryId,ParameterValue=d-1234567890 \
        ParameterKey=BundleId,ParameterValue=wsb-1234567890 \
        ParameterKey=UserName,ParameterValue=jsmith \
    --region us-east-1
Terraform (optional)
terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

variable "directory_id" {
  description = "The ID of the AWS Directory Service directory"
  type        = string
}

variable "bundle_id" {
  description = "The ID of the WorkSpaces bundle"
  type        = string
}

variable "user_name" {
  description = "The username for the WorkSpace"
  type        = string
}

variable "kms_key_arn" {
  description = "The ARN of the KMS key for volume encryption (optional)"
  type        = string
  default     = null
}

resource "aws_workspaces_workspace" "encrypted_workspace" {
  directory_id = var.directory_id
  bundle_id    = var.bundle_id
  user_name    = var.user_name

  root_volume_encryption_enabled = true
  user_volume_encryption_enabled = true
  volume_encryption_key          = var.kms_key_arn

  workspace_properties {
    compute_type_name                         = "VALUE"
    user_volume_size_gib                      = 10
    root_volume_size_gib                      = 80
    running_mode                              = "AUTO_STOP"
    running_mode_auto_stop_timeout_in_minutes = 60
  }

  tags = {
    Environment = "Production"
  }
}

output "workspace_id" {
  description = "The ID of the created WorkSpace"
  value       = aws_workspaces_workspace.encrypted_workspace.id
}

Deploy with Terraform:

terraform init
terraform plan -var="directory_id=d-1234567890" \
               -var="bundle_id=wsb-1234567890" \
               -var="user_name=jsmith"
terraform apply -var="directory_id=d-1234567890" \
                -var="bundle_id=wsb-1234567890" \
                -var="user_name=jsmith"

Verification

After creating your encrypted WorkSpace:

  1. Open the Amazon WorkSpaces console
  2. Click on your WorkSpace ID to view details
  3. Confirm that Root Volume Encryption shows Enabled
  4. Confirm that User Volume Encryption shows Enabled
CLI verification
aws workspaces describe-workspaces \
    --workspace-ids ws-1234567890 \
    --region us-east-1 \
    --query 'Workspaces[0].{RootVolumeEncrypted:RootVolumeEncryptionEnabled,UserVolumeEncrypted:UserVolumeEncryptionEnabled}'

Expected output:

{
    "RootVolumeEncrypted": true,
    "UserVolumeEncrypted": true
}

Additional Resources

Notes

  • Encryption cannot be enabled on existing WorkSpaces. You must create a new WorkSpace with encryption and migrate the user.
  • KMS key availability: If you use a customer-managed KMS key, ensure it remains enabled. Disabling or deleting the key will prevent WorkSpaces from starting.
  • Rebuilding WorkSpaces: When you rebuild a WorkSpace, the encryption settings are preserved. Ensure the KMS key is available for rebuilds.
  • Performance: Encryption has minimal performance impact and is transparent to end users.
  • Cost: Using the default AWS managed key has no additional cost. Customer-managed keys incur standard KMS charges.