Amazon WorkSpaces workspace root and user volumes are encrypted
workspaces_volume_encryption_enabled
Amazon WorkSpaces evaluates encryption at rest on each workspace's EBS volumes. It checks whether the root and user volumes are encrypted with a KMS key and identifies workspaces where either volume is unencrypted.
Risk
Unencrypted volumes allow offline access to files, cached credentials, and profile data from snapshots or underlying storage, harming confidentiality. Storage-level access can enable data tampering, impacting integrity, and facilitate token reuse for lateral movement.
prowler aws --checks workspaces_volume_encryption_enabled
Recommendation
Enable KMS-backed encryption for both root and user volumes on all WorkSpaces. Prefer customer-managed keys, enforce least privilege on key use, and enable rotation. Embed encryption into provisioning templates and policies to block unencrypted launches. Keep required keys enabled for rebuilds and restores.
Remediation
- In the AWS Console, go to WorkSpaces > WorkSpaces and click Launch WorkSpaces
- Select the directory and user, proceed to the WorkSpaces Configuration step
- Under Encryption, enable Root volume and User volume
- Keep the default AWS managed key (aws/workspaces) or select a CMK if required
- Launch the WorkSpace, then migrate the user and terminate the unencrypted WorkSpace
- Verify the Volume Encryption column shows Enabled for both volumes
Source Code
Resource Type
AwsEc2Volume