Skip to main content
emnode / learn
Compliance Medium severity

AWS Security Hub · WorkSpaces

WorkSpaces.1: WorkSpaces user volumes should be encrypted at rest

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub WorkSpaces.1 check?

WorkSpaces.1 checks whether a WorkSpace's user volume (the D drive on Windows, `/home` on Linux) is encrypted at rest. Backed by the `workspaces-user-volume-encryption-enabled` Config rule on `AWS::WorkSpaces::Workspace`, it reports FAILED when the user volume isn't KMS-encrypted.

Why does WorkSpaces.1 matter?

The user volume is where the person's real work accumulates — documents, downloads, cloned repositories, profile and credential caches — and it survives reboots and rebuilds. A failing WorkSpace is a fully-functional desktop writing all of that to disk in plaintext, which is exactly the persistent surface a compliance auditor, or an attacker who obtains a volume snapshot, cares about most.

How do I fix WorkSpaces.1?

  1. Audit the fleet for unencrypted user volumes and confirm there's no in-place toggle.
  2. Prepare and verify the KMS key (the managed `aws/workspaces` key or a customer-managed key) before launching anything.
  3. Recreate each WorkSpace with encryption on, backing up and restoring the user's data.
  4. Make encryption-by-default the provisioning standard so the finding can't return.

Remediation script · bash

# 1. Flip the EBS default across every enabled region (idempotent, free, new volumes only).
for region in $(aws ec2 describe-regions --query 'Regions[].RegionName' --output text); do
  aws ec2 enable-ebs-encryption-by-default --region "$region" >/dev/null
  echo "$region: EBS default encryption on"
done

# 2. Inventory the immutable storage that needs migrating.
aws efs describe-file-systems \
  --query 'FileSystems[?Encrypted==`false`].[FileSystemId,Name,SizeInBytes.Value]' --output table
aws workspaces describe-workspaces \
  --query 'Workspaces[?RootVolumeEncryptionEnabled==`false`].[WorkspaceId,UserName]' --output table

# 3. Create an encrypted EFS replacement (then migrate data with AWS DataSync, cut over, delete source).
aws efs create-file-system --encrypted \
  --kms-key-id alias/storage-encryption \
  --performance-mode generalPurpose --throughput-mode elastic

# 4. Confirm the default holds, then back it with a Config rule and an SCP.
aws ec2 get-ebs-encryption-by-default --query 'EbsEncryptionByDefault'

Full walkthrough (console steps, edge cases and verification) in the lesson Encrypt EBS and EFS storage at rest.

Is WorkSpaces.1 a false positive?

There's no 'encrypt now' button — encryption is chosen at creation, so teams expecting an in-place toggle will find the only fix is recreating the WorkSpace.

Full lesson Encrypt EBS and EFS storage at rest Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for WorkSpaces controls ↗ Check your own account for WorkSpaces.1 →
Part of the learning path Encrypt everything

More WorkSpaces controls

  • WorkSpaces.2 WorkSpaces root volumes should be encrypted at rest