Encrypted WorkSpaces - Amazon WorkSpaces
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Encrypted WorkSpaces

WorkSpaces is integrated with the Amazon Key Management Service (Amazon KMS). This enables you to encrypt storage volumes of WorkSpaces using Amazon KMS Key. When you launch a WorkSpace, you can encrypt the root volume (for Microsoft Windows, the C drive; for Linux, /) and the user volume (for Windows, the D drive; for Linux, /home). Doing so ensures that the data stored at rest, disk I/O to the volume, and snapshots created from the volumes are all encrypted.

Prerequisites

You need an Amazon KMS Key before you can begin the encryption process. This KMS Key can be either the Amazon managed KMS Key for Amazon WorkSpaces (aws/workspaces) or a symmetric customer managed KMS Key.

  • Amazon managed KMS Keys – The first time that you launch an unencrypted WorkSpace from the WorkSpaces console in a Region, Amazon WorkSpaces automatically creates an Amazon managed KMS Key (aws/workspaces) in your account. You can select this Amazon managed KMS Key to encrypt the user and root volumes of your WorkSpace. For details, see Overview of WorkSpaces encryption using Amazon KMS.

    You can view this Amazon managed KMS Key, including its policies and grants, and can track its use in Amazon CloudTrail logs, but you cannot use or manage this KMS Key. Amazon WorkSpaces creates and manages this KMS Key. Only Amazon WorkSpaces can use this KMS Key, and WorkSpaces can use it only to encrypt WorkSpaces resources in your account.

    Amazon managed KMS Key, including the one that Amazon WorkSpaces supports, are rotated every three years. For details, see Rotating Amazon KMS Key in the Amazon Key Management Service Developer Guide.

  • Customer managed KMS Key – Alternatively, you can select a symmetric customer managed KMS Key that you created using Amazon KMS. You can view, use, and manage this KMS Key, including setting its policies. For more information about creating KMS Keys, see Creating Keys in the Amazon Key Management Service Developer Guide. For more information about creating KMS Keys using the Amazon KMS API, see Working with Keys in the Amazon Key Management Service Developer Guide.

    Customer managed KMS Keys are not automatically rotated unless you decide to enable automatic key rotation. For details, see Rotating Amazon KMS Keys in the Amazon Key Management Service Developer Guide.

Important

When you manually rotate KMS Keys, you must keep both the original KMS Key and the new KMS Key enabled so that Amazon KMS can decrypt the WorkSpaces that the original KMS Key encrypted. If you don't want to keep the original KMS Key enabled, you must recreate your WorkSpaces and encrypt them using the new KMS Key.

You must meet the following requirements to use an Amazon KMS Key to encrypt your WorkSpaces:

Limits

  • You can't encrypt an existing WorkSpace. You must encrypt a WorkSpace when you launch it.

  • Creating a custom image from an encrypted WorkSpace is not supported.

  • Disabling encryption for an encrypted WorkSpace is not currently supported.

  • WorkSpaces launched with root volume encryption enabled might take up to an hour to provision.

  • To reboot or rebuild an encrypted WorkSpace, first make sure that the Amazon KMS Key is enabled; otherwise, the WorkSpace becomes unusable. To determine whether a KMS Key is enabled, see Displaying KMS Key Details in the Amazon Key Management Service Developer Guide.

Overview of WorkSpaces encryption using Amazon KMS

When you create WorkSpaces with encrypted volumes, WorkSpaces uses Amazon Elastic Block Store (Amazon EBS) to create and manage those volumes. Amazon EBS encrypts your volumes with a data key using the industry-standard AES-256 algorithm. Both Amazon EBS and Amazon WorkSpaces use your KMS Key to work with the encrypted volumes. For more information about EBS volume encryption, see Amazon EBS Encryption in the Amazon EC2 User Guide for Windows Instances.

When you launch WorkSpaces with encrypted volumes, the end-to-end process works like this:

  1. You specify the KMS Key to use for encryption as well as the user and directory for the WorkSpace. This action creates a grant that allows WorkSpaces to use your KMS Key only for this WorkSpace—that is, only for the WorkSpace associated with the specified user and directory.

  2. WorkSpaces creates an encrypted EBS volume for the WorkSpace and specifies the KMS Key to use as well as the volume's user and directory. This action creates a grant that allows Amazon EBS to use your KMS Key only for this WorkSpace and volume—that is, only for the WorkSpace associated with the specified user and directory, and only for the specified volume.

  3. Amazon EBS requests a volume data key that is encrypted under your KMS Key and specifies the WorkSpace user's Active Directory security identifier (SID) and Amazon Directory Service directory ID as well as the Amazon EBS volume ID as the encryption context.

  4. Amazon KMS creates a new data key, encrypts it under your KMS Key, and then sends the encrypted data key to Amazon EBS.

  5. WorkSpaces uses Amazon EBS to attach the encrypted volume to your WorkSpace. Amazon EBS sends the encrypted data key to Amazon KMS with a Decrypt request and specifies the WorkSpace user's SID, the directory ID, and the volume ID, which is used as the encryption context.

  6. Amazon KMS uses your KMS Key to decrypt the data key, and then sends the plain text data key to Amazon EBS.

  7. Amazon EBS uses the plain text data key to encrypt all data going to and from the encrypted volume. Amazon EBS keeps the plain text data key in memory for as long as the volume is attached to the WorkSpace.

  8. Amazon EBS stores the encrypted data key (received at Step 4) with the volume metadata for future use in case you reboot or rebuild the WorkSpace.

  9. When you use the Amazon Web Services Management Console to remove a WorkSpace (or use the TerminateWorkspaces action in the WorkSpaces API), WorkSpaces and Amazon EBS retire the grants that allowed them to use your KMS Key for that WorkSpace.

WorkSpaces encryption context

WorkSpaces doesn't use your KMS Key directly for cryptographic operations (such as Encrypt, Decrypt, GenerateDataKey, etc.), which means WorkSpaces doesn't send requests to Amazon KMS that include an encryption context. However, when Amazon EBS requests an encrypted data key for the encrypted volumes of your WorkSpaces (Step 3 in the Overview of WorkSpaces encryption using Amazon KMS) and when it requests a plain text copy of that data key (Step 5), it includes encryption context in the request.

The encryption context provides additional authenticated data (AAD) that Amazon KMS uses to ensure data integrity. The encryption context is also written to your Amazon CloudTrail log files, which can help you understand why a given KMS Key was used. Amazon EBS uses the following for the encryption context:

  • The security identifier (SID) of the Active Directory user that is associated with the WorkSpace

  • The directory ID of the Amazon Directory Service directory that is associated with the WorkSpace

  • The Amazon EBS volume ID of the encrypted volume

The following example shows a JSON representation of the encryption context that Amazon EBS uses:

{ "aws:workspaces:sid-directoryid": "[S-1-5-21-277731876-1789304096-451871588-1107]@[d-1234abcd01]", "aws:ebs:id": "vol-1234abcd" }

Grant WorkSpaces permission to use a KMS Key on your behalf

You can protect your WorkSpace data under the Amazon managed KMS Key for WorkSpaces (aws/workspaces) or a customer managed KMS Key. If you use a customer managed KMS Key, you need to grant WorkSpaces permission to use the KMS Key on behalf of the WorkSpaces administrators in your account. The Amazon managed KMS Key for WorkSpaces has the required permissions by default.

To prepare your customer managed KMS Key for use with WorkSpaces, use the following procedure.

Your WorkSpaces administrators also need permission to use WorkSpaces. For more information about these permissions, go to Identity and access management for WorkSpaces.

Part 1: Add WorkSpaces administrators to as key users

To give WorkSpaces administrators the permissions that they require, you can use the Amazon Web Services Management Console or the Amazon KMS API.

To add WorkSpaces administrators as key users for a KMS Key (console)

  1. Sign in to the Amazon Web Services Management Console and open the Amazon Key Management Service (Amazon KMS) console at https://console.amazonaws.cn/kms.

  2. To change the Amazon Web Services Region, use the Region selector in the upper-right corner of the page.

  3. In the navigation pane, choose Customer managed keys.

  4. Choose the key ID or alias of your preferred customer managed KMS Key.

  5. Choose the Key policy tab. Under Key users, choose Add.

  6. In the list of IAM users and roles, select the users and roles that correspond to your WorkSpaces administrators, and then choose Add.

To add WorkSpaces administrators as key users for a KMS Key (API)

  1. Use the GetKeyPolicy operation to get the existing key policy, and then save the policy document to a file.

  2. Open the policy document in your preferred text editor. Add the IAM users and roles that correspond to your WorkSpaces administrators to the policy statements that give permission to key users. Then save the file.

  3. Use the PutKeyPolicy operation to apply the key policy to the KMS Key.

Part 2: Grant WorkSpaces administrators additional permissions using an IAM policy

If you select a customer managed KMS Key to use for encryption, you must establish IAM policies that allow Amazon WorkSpaces to use the KMS Key on behalf of an IAM user in your account who launches encrypted WorkSpaces. That user also needs permission to use Amazon WorkSpaces. For more information about creating and editing IAM user policies, see Managing IAM Policies in the IAM User Guide and Identity and access management for WorkSpaces.

WorkSpaces encryption requires limited access to the KMS Key. The following is a sample key policy that you can use. This policy separates the principals who can manage the Amazon KMS Key from those who can use it. Before you use this sample key policy, replace the example account ID and IAM user name with actual values from your account.

The first statement matches the default Amazon KMS key policy. It gives your account permission to use IAM policies to control access to the KMS Key. The second and third statements define which Amazon principals can manage and use the key, respectively. The fourth statement enables Amazon services that are integrated with Amazon KMS to use the key on behalf of the specified principal. This statement enables Amazon services to create and manage grants. The statement uses a condition element that limits grants on the KMS Key to those made by Amazon services on behalf of users in your account.

Note

If your WorkSpaces administrators use the Amazon Web Services Management Console to create WorkSpaces with encrypted volumes, the administrators need permission to list aliases and list keys (the "kms:ListAliases" and "kms:ListKeys" permissions). If your WorkSpaces administrators use only the Amazon WorkSpaces API (not the console), you can omit the "kms:ListAliases" and "kms:ListKeys" permissions.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": {"AWS": "arn:aws-cn:iam::123456789012:root"}, "Action": "kms:*", "Resource": "*" }, { "Effect": "Allow", "Principal": {"AWS": "arn:aws-cn:iam::123456789012:user/Alice"}, "Action": [ "kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*", "kms:Update*", "kms:Revoke*", "kms:Disable*", "kms:Get*", "kms:Delete*" ], "Resource": "*" }, { "Effect": "Allow", "Principal": {"AWS": "arn:aws-cn:iam::123456789012:user/Alice"}, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" }, { "Effect": "Allow", "Principal": {"AWS": "arn:aws-cn:iam::123456789012:user/Alice"}, "Action": [ "kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant" ], "Resource": "*", "Condition": {"Bool": {"kms:GrantIsForAWSResource": "true"}} } ] }

The IAM policy for a user or role that is encrypting a WorkSpace must include usage permissions on the customer managed KMS Key, as well as access to WorkSpaces. To give an IAM user or role WorkSpaces permissions, you can attach the following sample policy to the IAM user or role.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ds:*", "ds:DescribeDirectories", "workspaces:*", "workspaces:DescribeWorkspaceBundles", "workspaces:CreateWorkspaces", "workspaces:DescribeWorkspaceBundles", "workspaces:DescribeWorkspaceDirectories", "workspaces:DescribeWorkspaces", "workspaces:RebootWorkspaces", "workspaces:RebuildWorkspaces" ], "Resource": "*" } ] }

The following IAM policy is required by the user for using Amazon KMS. It gives the user read-only access to the KMS Key along with the ability to create grants.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "kms:CreateGrant", "kms:Describe*", "kms:List*" ], "Resource": "*" } ] }

If you want to specify the KMS Key in your policy, use an IAM policy similar to the following. Replace the example KMS Key ARN with a valid one.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "kms:CreateGrant", "Resource": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" }, { "Effect": "Allow", "Action": [ "kms:ListAliases", "kms:ListKeys" ], "Resource": "*" } ] }

Encrypt a WorkSpace

To encrypt a WorkSpace
  1. Open the WorkSpaces console at https://console.amazonaws.cn/workspaces/.

  2. Choose Launch WorkSpaces and complete the first three steps.

  3. For the WorkSpaces Configuration step, do the following:

    1. Select the volumes to encrypt: Root Volume, User Volume, or both volumes.

    2. For Encryption Key, select an Amazon KMS Key, either the Amazon managed KMS Key created by Amazon WorkSpaces or a KMS Key that you created. The KMS Key that you select must be symmetric. Amazon WorkSpaces does not support asymmetric KMS Keys.

    3. Choose Next Step.

  4. Choose Launch WorkSpaces.

View encrypted WorkSpaces

To see which WorkSpaces and volumes have been encrypted from the WorkSpaces console, choose WorkSpaces from the navigation bar on the left. The Volume Encryption column shows whether each WorkSpace has encryption enabled or disabled. To see which specific volumes have been encrypted, expand the WorkSpace entry to see the Encrypted Volumes field.