Workspace Without Encryption

  • Query id: 89827c57-5a8a-49eb-9731-976a606d70db
  • Query name: Workspace Without Encryption
  • Platform: CloudFormation
  • Severity: High
  • Category: Encryption
  • URL: Github

Description

Workspaces should have encryption enabled
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
Resources:
  MyWorkSpace:
    Type: AWS::WorkSpaces::Workspace
    Properties:
      BundleId: !FindInMap
        - WSTypeMap
        - !Ref 'WorkstationType'
        - BundleId
      DirectoryId: !FindInMap
        - WSTypeMap
        - !Ref 'WorkstationType'
        - DirectoryId
      UserName: !Ref 'UserName'
Positive test num. 2 - yaml file
Resources:
  MyWorkSpace2:
    Type: AWS::WorkSpaces::Workspace
    Properties:
      BundleId: !FindInMap
        - WSTypeMap
        - !Ref 'WorkstationType'
        - BundleId
      DirectoryId: !FindInMap
        - WSTypeMap
        - !Ref 'WorkstationType'
        - DirectoryId
      UserName: !Ref 'UserName'
      UserVolumeEncryptionEnabled: false
Positive test num. 3 - json file
{
  "Resources": {
    "MyWorkSpace": {
      "Type": "AWS::WorkSpaces::Workspace",
      "Properties": {
        "BundleId": [
          "WSTypeMap",
          "WorkstationType",
          "BundleId"
        ],
        "DirectoryId": [
          "WSTypeMap",
          "WorkstationType",
          "DirectoryId"
        ],
        "UserName": "UserName"
      }
    }
  }
}

Positive test num. 4 - json file 
{
  "Resources": {
    "MyWorkSpace2": {
      "Type": "AWS::WorkSpaces::Workspace",
      "Properties": {
        "BundleId": [
          "WSTypeMap",
          "WorkstationType",
          "BundleId"
        ],
        "DirectoryId": [
          "WSTypeMap",
          "WorkstationType",
          "DirectoryId"
        ],
        "UserName": "UserName",
        "UserVolumeEncryptionEnabled": false
      }
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
Resources:
  MyWorkSpace:
    Type: AWS::WorkSpaces::Workspace
    Properties:
      BundleId: !FindInMap
        - WSTypeMap
        - !Ref 'WorkstationType'
        - BundleId
      DirectoryId: !FindInMap
        - WSTypeMap
        - !Ref 'WorkstationType'
        - DirectoryId
      UserName: !Ref 'UserName'
      UserVolumeEncryptionEnabled: true
Negative test num. 2 - yaml file
Resources:
  MyWorkSpace2:
    Type: AWS::WorkSpaces::Workspace
    Properties:
      BundleId: !FindInMap
        - WSTypeMap
        - !Ref 'WorkstationType'
        - BundleId
      DirectoryId: !FindInMap
        - WSTypeMap
        - !Ref 'WorkstationType'
        - DirectoryId
      UserName: !Ref 'UserName'
      UserVolumeEncryptionEnabled: 'true'
Negative test num. 3 - json file
{
  "Resources": {
    "MyWorkSpace": {
      "Type": "AWS::WorkSpaces::Workspace",
      "Properties": {
        "BundleId": [
          "WSTypeMap",
          "WorkstationType",
          "BundleId"
        ],
        "DirectoryId": [
          "WSTypeMap",
          "WorkstationType",
          "DirectoryId"
        ],
        "UserName": "UserName",
        "UserVolumeEncryptionEnabled": true
      }
    }
  }
}

Negative test num. 4 - json file 
{
  "Resources": {
    "MyWorkSpace2": {
      "Type": "AWS::WorkSpaces::Workspace",
      "Properties": {
        "BundleId": [
          "WSTypeMap",
          "WorkstationType",
          "BundleId"
        ],
        "DirectoryId": [
          "WSTypeMap",
          "WorkstationType",
          "DirectoryId"
        ],
        "UserName": "UserName",
        "UserVolumeEncryptionEnabled": "true"
      }
    }
  }
}