Workspaces Workspace Volume Not Encrypted
- Query id: b9033580-6886-401a-8631-5f19f5bb24c7
- Query name: Workspaces Workspace Volume Not Encrypted
- Platform: Terraform
- Severity: High
- Category: Encryption
- CWE: 311
- URL: Github
Description¶
AWS Workspaces Workspace data stored in volumes should be encrypted
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_workspaces_workspace" "example" {
directory_id = aws_workspaces_directory.example.id
bundle_id = data.aws_workspaces_bundle.value_windows_10.id
user_name = "john.doe"
root_volume_encryption_enabled = true
volume_encryption_key = "alias/aws/workspaces"
workspace_properties {
compute_type_name = "VALUE"
user_volume_size_gib = 10
root_volume_size_gib = 80
running_mode = "AUTO_STOP"
running_mode_auto_stop_timeout_in_minutes = 60
}
tags = {
Department = "IT"
}
}
Positive test num. 2 - tf file
resource "aws_workspaces_workspace" "example_2" {
directory_id = aws_workspaces_directory.example.id
bundle_id = data.aws_workspaces_bundle.value_windows_10.id
user_name = "john.doe"
user_volume_encryption_enabled = true
volume_encryption_key = "alias/aws/workspaces"
workspace_properties {
compute_type_name = "VALUE"
user_volume_size_gib = 10
root_volume_size_gib = 80
running_mode = "AUTO_STOP"
running_mode_auto_stop_timeout_in_minutes = 60
}
tags = {
Department = "IT"
}
}
Positive test num. 3 - tf file
resource "aws_workspaces_workspace" "example_3" {
directory_id = aws_workspaces_directory.example.id
bundle_id = data.aws_workspaces_bundle.value_windows_10.id
user_name = "john.doe"
volume_encryption_key = "alias/aws/workspaces"
workspace_properties {
compute_type_name = "VALUE"
user_volume_size_gib = 10
root_volume_size_gib = 80
running_mode = "AUTO_STOP"
running_mode_auto_stop_timeout_in_minutes = 60
}
tags = {
Department = "IT"
}
}
Positive test num. 4 - tf file
resource "aws_workspaces_workspace" "example_4" {
directory_id = aws_workspaces_directory.example.id
bundle_id = data.aws_workspaces_bundle.value_windows_10.id
user_name = "john.doe"
root_volume_encryption_enabled = false
user_volume_encryption_enabled = false
volume_encryption_key = "alias/aws/workspaces"
workspace_properties {
compute_type_name = "VALUE"
user_volume_size_gib = 10
root_volume_size_gib = 80
running_mode = "AUTO_STOP"
running_mode_auto_stop_timeout_in_minutes = 60
}
tags = {
Department = "IT"
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_workspaces_workspace" "example" {
directory_id = aws_workspaces_directory.example.id
bundle_id = data.aws_workspaces_bundle.value_windows_10.id
user_name = "john.doe"
root_volume_encryption_enabled = true
user_volume_encryption_enabled = true
volume_encryption_key = "alias/aws/workspaces"
workspace_properties {
compute_type_name = "VALUE"
user_volume_size_gib = 10
root_volume_size_gib = 80
running_mode = "AUTO_STOP"
running_mode_auto_stop_timeout_in_minutes = 60
}
tags = {
Department = "IT"
}
}