Workspace without encryption

문서 > Datadog 보안 > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Workspace without encryption

이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

Id: 89827c57-5a8a-49eb-9731-976a606d70db

Cloud Provider: AWS

Platform: CloudFormation

Severity: High

Category: Encryption

Learn More

Provider Reference

Description

User volumes for Amazon WorkSpaces must be encrypted to protect sensitive user data at rest and to reduce the risk of data exposure if storage media, snapshots, or backups are compromised.

In CloudFormation, AWS::WorkSpaces::Workspace resources must include Properties.UserVolumeEncryptionEnabled set to true. Resources that omit this property or set it to false will be flagged. Ensure the property is explicitly defined as a boolean true in your template so encryption is enforced for user volumes.

Secure configuration example:

MyWorkSpace:
  Type: AWS::WorkSpaces::Workspace
  Properties:
    BundleId: ws-bundle-id
    DirectoryId: d-xxxxxxxxx
    UserName: example-user
    UserVolumeEncryptionEnabled: true

Compliant Code Examples

Resources:
  MyWorkSpace:
    Type: AWS::WorkSpaces::Workspace
    Properties:
      BundleId: !FindInMap
        - WSTypeMap
        - !Ref 'WorkstationType'
        - BundleId
      DirectoryId: !FindInMap
        - WSTypeMap
        - !Ref 'WorkstationType'
        - DirectoryId
      UserName: !Ref 'UserName'
      UserVolumeEncryptionEnabled: true

{
  "Resources": {
    "MyWorkSpace2": {
      "Type": "AWS::WorkSpaces::Workspace",
      "Properties": {
        "BundleId": [
          "WSTypeMap",
          "WorkstationType",
          "BundleId"
        ],
        "DirectoryId": [
          "WSTypeMap",
          "WorkstationType",
          "DirectoryId"
        ],
        "UserName": "UserName",
        "UserVolumeEncryptionEnabled": "true"
      }
    }
  }
}

Resources:
  MyWorkSpace2:
    Type: AWS::WorkSpaces::Workspace
    Properties:
      BundleId: !FindInMap
        - WSTypeMap
        - !Ref 'WorkstationType'
        - BundleId
      DirectoryId: !FindInMap
        - WSTypeMap
        - !Ref 'WorkstationType'
        - DirectoryId
      UserName: !Ref 'UserName'
      UserVolumeEncryptionEnabled: 'true'

Non-Compliant Code Examples

Resources:
  MyWorkSpace2:
    Type: AWS::WorkSpaces::Workspace
    Properties:
      BundleId: !FindInMap
        - WSTypeMap
        - !Ref 'WorkstationType'
        - BundleId
      DirectoryId: !FindInMap
        - WSTypeMap
        - !Ref 'WorkstationType'
        - DirectoryId
      UserName: !Ref 'UserName'
      UserVolumeEncryptionEnabled: false

{
  "Resources": {
    "MyWorkSpace": {
      "Type": "AWS::WorkSpaces::Workspace",
      "Properties": {
        "BundleId": [
          "WSTypeMap",
          "WorkstationType",
          "BundleId"
        ],
        "DirectoryId": [
          "WSTypeMap",
          "WorkstationType",
          "DirectoryId"
        ],
        "UserName": "UserName"
      }
    }
  }
}

{
  "Resources": {
    "MyWorkSpace2": {
      "Type": "AWS::WorkSpaces::Workspace",
      "Properties": {
        "BundleId": [
          "WSTypeMap",
          "WorkstationType",
          "BundleId"
        ],
        "DirectoryId": [
          "WSTypeMap",
          "WorkstationType",
          "DirectoryId"
        ],
        "UserName": "UserName",
        "UserVolumeEncryptionEnabled": false
      }
    }
  }
}