Security Hub controls for WorkSpaces
These Amazon Security Hub controls evaluate the Amazon WorkSpaces service and resources.
These controls may not be available in all Amazon Web Services Regions. For more information, see Availability of controls by Region.
[WorkSpaces.1] WorkSpaces user volumes should be encrypted at rest
Category: Protect > Data Protection > Encryption of data-at-rest
Severity: Medium
Resource type:
AWS::WorkSpaces::Workspace
Amazon Config rule:
workspaces-user-volume-encryption-enabled
Schedule type: Change triggered
Parameters: None
This control checks whether a user volume in an Amazon WorkSpaces WorkSpace is encrypted at rest. The control fails if the WorkSpace user volume isn't encrypted at rest.
Data at rest refers to data that's stored in persistent, non-volatile storage for any duration. Encrypting data at rest helps you protect its confidentiality, which reduces the risk that an unauthorized user can access it.
Remediation
To encrypt a WorkSpaces user volume, see Encrypt a WorkSpace in the Amazon WorkSpaces Administration Guide.
[WorkSpaces.2] WorkSpaces root volumes should be encrypted at rest
Category: Protect > Data Protection > Encryption of data-at-rest
Severity: Medium
Resource type:
AWS::WorkSpaces::Workspace
Amazon Config rule:
workspaces-root-volume-encryption-enabled
Schedule type: Change triggered
Parameters: None
This control checks whether a root volume in an Amazon WorkSpaces WorkSpace is encrypted at rest. The control fails if the WorkSpace root volume isn't encrypted at rest.
Data at rest refers to data that's stored in persistent, non-volatile storage for any duration. Encrypting data at rest helps you protect its confidentiality, which reduces the risk that an unauthorized user can access it.
Remediation
To encrypt a WorkSpaces root volume, see Encrypt a WorkSpace in the Amazon WorkSpaces Administration Guide.