Add new check: Amazon WorkSpaces - Check encryption at rest

[jonjozwiak]

WorkSpaces should have both root and user volumes encrypted at rest.

RootVolumeEncryptionEnabled / UserVolumeEncryptionEnabled: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-workspaces-workspace.html

This is not supported in Terraform as of yet, but coming with an aws_workspaces_workspace and root_volume_encryption_enabled/user_volume_encryption_enabled:
hashicorp/terraform-provider-aws#11608
hashicorp/terraform-provider-aws#434

[Tensho]

Hi 🙂 JFYI, I'd be cautious about mandatory workspace volume encription because it blocks image creation and you can't disable encryption at the moment.
https://docs.aws.amazon.com/workspaces/latest/adminguide/encrypt-workspaces.html#encryption_limits

[jonjozwiak]

It's good to be aware of those limitations. For the image creation use case, is this typically an administrator creating an image that is then deployed for many users? Are there times when a users machine would be used to create an image?

[Tensho]

Yes, administrator.
Not necessary, user workspace could be used to bake an image. However, administrator usually works with test workspace to bake and then distribute an image.

[stale]

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at https://slack.bridgecrew.io
Thanks!

[stale]

Closing issue due to inactivity. If you feel this is in error, please re-open, or reach out to the community via slack: https://slack.bridgecrew.io Thanks!