Encrypt WorkSpaces Using AWS Key Management Service (AWS KMS)
Amazon WorkSpaces is a managed desktop computing service in the cloud. It allows end users to access the corporate data, applications and resources in a cloud based desktop environment. The Amazon WorkSpaces provides this high-quality cloud desktop experience on varied supporting devices including Windows, Linux and Mac computers, Chrome books, iPad, Kindle Fire tablets, and Android tablets.
The AWS Management Console, makes provisioning and managing the huge number of users easy. Amazon WorkSpaces compared to the traditional desktops or the Virtual Desktop Infrastructure (VDI) solutions, offers a competitive cost for the organizations.
Move your desktop to the cloud
AWS WorkSpace provides users with a desktop experience in the cloud that can be accessed from any connected device. Three simple steps will let you use the cloud resources in a WorkSpace environment.
- Select the WorkSpace Service bundle and assign the users.
- Setup password and download the client.
- Start using the Amazon WorkSpaces.
Once the Amazon WorkSpaces are created, you can start using it. Amazon WorkSpaces uses Amazon Elastic Block Store (Amazon EBS) to create and manage the storage volumes. Encrypting the Amazon WorkSpaces is an important step when using the WorkSpaces.
When you launch a new WorkSpace, you have the option to encrypt the root volume (C: drive) and the user volume (D: drive). This ensures that the data stored in the EBS, is always encrypted when it is used for replication and restoration during the Disaster Recovery process.
You can encrypt your storage volumes either from the Amazon WorkSpaces console, or by using the Amazon WorkSpaces API.
How Encryption of WorkSpaces occurs
Amazon WorkSpaces is integrated with the AWS Key Management Service (AWS KMS). The first time you launch a WorkSpace from the Amazon WorkSpaces console in a region, a default Customer Master Key (CMK) is created for you automatically.
You can select this key to encrypt the user and root volume of your WorkSpace. Or, you can choose a custom CMK that you created separately in AWS KMS. Both services use your KMS customer master key (CMK) to work with the encrypted volumes.
Note: One CMK can be used to encrypt up to 30 WorkSpaces in a region. This limit applies to the default CMK and to custom CMKs.
The following steps are initiated when you create Amazon WorkSpaces with EBS volumes:
- Only one CMK is created to use for encryption, which can be used only for the WorkSpace associated with the specified user and directory, and only for the specified volume.
- Amazon EBS requests for a encrypt volume data key, which specifies the WorkSpace user’s id, directory ID and volume ID as encryption context.
- AWS KMS creates a new encrypted data key under your CMK, and sends it to Amazon EBS, which attaches the encrypted volume to your WorkSpace.
- AWS KMS uses your CMK to decrypt the data key, and sends the plain text data key back to the Amazon EBS.
- Amazon EBS uses the plaintext data key to encrypt all data going to and from the encrypted volume. Amazon EBS keeps the plain text data key in memory for as long as the volume is attached to the WorkSpace.
- Amazon EBS stores the encrypted data key for future use in case you reboot or rebuild the WorkSpace.