HIGH
Source
Trivy
ID
AVD-AWS-0109

Root and user volumes on Workspaces should be encrypted

Workspace volumes for both user and root should be encrypted to protect the data stored on them.

Impact

Data can be freely read if compromised

Follow the appropriate remediation steps below to resolve the issue.

Root and user volume encryption should be enabled

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
---
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
  GoodExample:
    Type: AWS::WorkSpaces::Workspace
    Properties:
      RootVolumeEncryptionEnabled: true
      UserVolumeEncryptionEnabled: true
      UserName: "admin"

Root and user volume encryption should be enabled

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
resource "aws_workspaces_workspace" "good_example" {
  directory_id 				   = aws_workspaces_directory.test.id
  bundle_id    				   = data.aws_workspaces_bundle.value_windows_10.id
  user_name    				   = "Administrator"
  root_volume_encryption_enabled = true
  user_volume_encryption_enabled = true
  
  workspace_properties {
    compute_type_name                         = "VALUE"
    user_volume_size_gib                      = 10
    root_volume_size_gib                      = 80
    running_mode                              = "AUTO_STOP"
    running_mode_auto_stop_timeout_in_minutes = 60
  }
}