Skip to main content
emnode / learn
Compliance Medium severity

AWS Security Hub · WorkSpaces

WorkSpaces.2: WorkSpaces root volumes should be encrypted at rest

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub WorkSpaces.2 check?

WorkSpaces.2 checks whether a WorkSpace's root volume (the C drive on Windows, the system partition on Linux) is encrypted at rest with a KMS key. It reports FAILED when the root volume isn't encrypted. It's the sibling of WorkSpaces.1, which covers the user volume — the two are separate findings because encryption is chosen per-volume at creation.

Why does WorkSpaces.2 matter?

People assume the root volume is 'just the OS, nothing sensitive,' but cached credentials, browser-stored sessions, downloaded attachments in temp folders, swap/pagefile contents, and registry hives all live there. Anyone who obtains the underlying storage — a snapshot, a block device, a backup — sees that data in plaintext if the volume isn't encrypted.

How do I fix WorkSpaces.2?

  1. Scope every WorkSpace with an unencrypted root volume.
  2. Back up user data, then recreate each WorkSpace with root-volume encryption enabled.
  3. Make encryption-by-default the provisioning standard.
  4. Add a Config guardrail and keep KMS key access scoped so it stays fixed.

Remediation script · bash

# 1. Flip the EBS default across every enabled region (idempotent, free, new volumes only).
for region in $(aws ec2 describe-regions --query 'Regions[].RegionName' --output text); do
  aws ec2 enable-ebs-encryption-by-default --region "$region" >/dev/null
  echo "$region: EBS default encryption on"
done

# 2. Inventory the immutable storage that needs migrating.
aws efs describe-file-systems \
  --query 'FileSystems[?Encrypted==`false`].[FileSystemId,Name,SizeInBytes.Value]' --output table
aws workspaces describe-workspaces \
  --query 'Workspaces[?RootVolumeEncryptionEnabled==`false`].[WorkspaceId,UserName]' --output table

# 3. Create an encrypted EFS replacement (then migrate data with AWS DataSync, cut over, delete source).
aws efs create-file-system --encrypted \
  --kms-key-id alias/storage-encryption \
  --performance-mode generalPurpose --throughput-mode elastic

# 4. Confirm the default holds, then back it with a Config rule and an SCP.
aws ec2 get-ebs-encryption-by-default --query 'EbsEncryptionByDefault'

Full walkthrough (console steps, edge cases and verification) in the lesson Encrypt EBS and EFS storage at rest.

Is WorkSpaces.2 a false positive?

Encryption can't be toggled on an existing WorkSpace and is chosen per-volume, so a WorkSpace can have its user volume encrypted while the root volume still fails — remediation always means recreating the desktop.

Full lesson Encrypt EBS and EFS storage at rest Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for WorkSpaces controls ↗ Check your own account for WorkSpaces.2 →
Part of the learning path Encrypt everything

More WorkSpaces controls

  • WorkSpaces.1 WorkSpaces user volumes should be encrypted at rest