Data encryption at rest for Amazon WorkSpaces Thin Client
Amazon WorkSpaces Thin Client provides encryption by default to protect sensitive customer data at rest by using AWS owned encryption keys.
AWS owned keys — Amazon WorkSpaces Thin Client uses these keys by default to automatically encrypt personally identifiable data. You cannot view, manage, or use AWS owned keys or audit their use. However, you don't have to take any action or change any programs to protect the keys that encrypt your data. For more information, see AWS owned keys in the AWS Key Management Service Developer Guide.
Encryption of data at rest by default helps reduce the operational overhead and complexity involved in protecting sensitive data. At the same time, it enables you to build secure applications that meet strict encryption compliance and regulatory requirements.
While you can't disable this layer of encryption or select an alternate encryption type, you can add a second layer of encryption over the existing AWS owned encryption keys by choosing a customer managed key when you create your Thin Client Environment:
Customer managed keys — Amazon WorkSpaces Thin Client supports the use of a symmetric customer managed key that you create, own, and manage to add a second layer of encryption on the existing AWS owned encryption. Because you have full control of this layer of encryption, you can perform such tasks as the following:
Establishing and maintaining key policies
Establishing and maintaining IAM policies
Enabling and disabling key policies
Rotating key cryptographic material
Adding tags
Creating key aliases
Scheduling keys for deletion
For more information, see customer managed key in the AWS Key Management Service Developer Guide.
The following table summarizes how Amazon WorkSpaces Thin Client encrypts personally identifiable data.
| Data type | AWS owned key encryption | Customer managed key encryption (Optional) |
|---|---|---|
|
Environment name WorkSpaces Thin Client Environment name |
Enabled |
Enabled |
|
Device name WorkSpaces Thin Client Device name |
Enabled |
Enabled |
|
User activity WorkSpaces Thin Client User activity |
Enabled |
Enabled |
|
Device settings WorkSpaces Thin Client Device settings |
Enabled |
Enabled |
|
Device creation tags WorkSpaces Thin Client Environment device creation tags |
Enabled |
Enabled |
Note
Amazon WorkSpaces Thin Client automatically enables encryption at rest by using AWS owned keys to protect personally identifiable data at no charge.
However, AWS KMS charges apply for using a customer managed key. For more information about pricing, see the
AWS Key Management Service pricing
How Amazon WorkSpaces Thin Client uses AWS KMS
Amazon WorkSpaces Thin Client requires a key policy for you to use your customer managed key.
Amazon WorkSpaces Thin Client requires the key policy to use your customer managed key for the following internal operations:
Send
GenerateDataKeyrequests to AWS KMS to encrypt the data.Send
Decryptrequests to AWS KMS to decrypt the encrypted data.
You can remove the service's access to the customer managed key at any time. If you do, Amazon WorkSpaces Thin Client won't
be able to access any of the data encrypted by the customer managed key, which affects operations that are dependent
on that data. For example, if you attempt to get environment details that WorkSpaces Thin Client can't access,
then the operation returns an AccessDeniedException error. Additionally, the WorkSpaces Thin Client device will not
be able to use a WorkSpaces Thin Client Environment.
Create a customer managed key
You can create a symmetric customer managed key by using the AWS Management Console or the AWS KMS API operations.
To create a symmetric customer managed key
Follow the steps for Creating symmetric customer managed key in the AWS Key Management Service Developer Guide.
Key policy
Key policies control access to your customer managed key. Every customer managed key must have exactly one key policy, which contains statements that determine who can use the key and how they can use it. When you create your customer managed key, you can specify a key policy. For more information, see Managing access to customer managed keys in the AWS Key Management Service Developer Guide.
To use your customer managed key with your Amazon WorkSpaces Thin Client resources, the following API operations must be permitted in the key policy:
kms:DescribeKey— Provides the customer managed key details so Amazon WorkSpaces Thin Client can validate the key.kms:GenerateDataKey— Allows using the customer managed key to encrypt the data.kms:Decrypt— Allows using the customer managed key to decrypt the data.
The following are policy statement examples you can add for Amazon WorkSpaces Thin Client:
{ "Statement": [ { "Sid": "Allow access to principals authorized to use Amazon WorkSpaces Thin Client", "Effect": "Allow", "Principal": {"AWS": "*"}, "Action": [ "kms:DescribeKey", "kms:GenerateDataKey", "kms:Decrypt" ], "Resource": "*", "Condition": { "StringEquals": { "kms:ViaService": "thinclient.region.amazonaws.com", "kms:CallerAccount": "111122223333" } } }, { "Sid": "Allow Amazon WorkSpaces Thin Client service to encrypt and decrypt data", "Effect": "Allow", "Principal": {"Service": "thinclient.amazonaws.com"}, "Action": [ "kms:GenerateDataKey", "kms:Decrypt" ], "Resource": "*", "Condition": { "StringLike": { "aws:SourceArn": "arn:aws:thinclient:region:111122223333:*", "kms:EncryptionContext:aws:thinclient:arn": "arn:aws:thinclient:region:111122223333:*" } } }, { "Sid": "Allow access for key administrators", "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::111122223333:root"}, "Action": ["kms:*"], "Resource": "arn:aws:kms:region:111122223333:key/key_ID" }, { "Sid": "Allow read-only access to key metadata to the account", "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::111122223333:root"}, "Action": [ "kms:Describe*", "kms:Get*", "kms:List*" ], "Resource": "*" } ] }
For more information about specifying permissions in a policy, see the AWS Key Management Service Developer Guide.
For more information about troubleshooting key access, see the AWS Key Management Service Developer Guide.
Specifying a customer managed key for WorkSpaces Thin Client
You can specify a customer managed key as a second layer encryption for the following resources:
-
WorkSpaces Thin Client Environment
When you create an Environment, you can specify the data key by providing a kmsKeyArn, which Amazon WorkSpaces Thin Client uses to encrypt the identifiable personal data.
kmsKeyArn— A key identifier for an AWS KMS customer managed key. Provide a key ARN.
When a new WorkSpaces Thin Client device is added to the WorkSpaces Thin Client Environment encrypted with a customer managed key, the WorkSpaces Thin Client Device inherits the customer managed key setting from the WorkSpaces Thin Client Environment.
An encryption context is an optional set of key-value pairs that contains additional contextual information about the data.
AWS KMS uses the encryption context as additional authenticated data to support authenticated encryption. When you include an encryption context in a request to encrypt data, AWS KMS binds the encryption context to the encrypted data. To decrypt data, include the same encryption context in the request.
Amazon WorkSpaces Thin Client encryption context
Amazon WorkSpaces Thin Client uses the same encryption context in all AWS KMS cryptographic
operations, where the key is aws:thinclient:arn and the value is the Amazon
Resource Name (ARN).
The following is the Environment encryption context:
"encryptionContext": { "aws:thinclient:arn": "arn:aws:thinclient:region:111122223333:environment/environment_ID" }
The following is the Device encryption context:
"encryptionContext": { "aws:thinclient:arn": "arn:aws:thinclient:region:111122223333:device/device_ID" }
Using encryption context for monitoring
When you use a symmetric customer managed key to encrypt your WorkSpaces Thin Client Environment and Device data, you can also use the encryption context in audit records and logs to identify how the customer managed key is being used. The encryption context also appears in logs generated by AWS CloudTrail or Amazon CloudWatch Logs.
Using encryption context to control access to your customer managed key
You can use the encryption context in key policies and IAM policies as conditions to control access to your symmetric customer managed key.
The following are example key policy statements to grant access to a customer managed key for a specific encryption context. The condition in this policy statement requires that the kms:Decrypt
call has an encryption context constraint that specifies the encryption context.
{ "Sid": "Enable Decrypt to access Thin Client Environment", "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::111122223333:role/ExampleReadOnlyRole"}, "Action": "kms:Decrypt", "Resource": "*", "Condition": { "StringEquals": {"kms:EncryptionContext:aws:thinclient:arn": "arn:aws:thinclient:region:111122223333:environment/environment_ID"} } }
Monitoring your encryption keys for Amazon WorkSpaces Thin Client
When you use an AWS KMS customer managed key with your Amazon WorkSpaces Thin Client resources, you can use AWS CloudTrail or Amazon CloudWatch Logs to track requests that Amazon WorkSpaces Thin Client sends to AWS KMS.
The following examples are AWS CloudTrail events for DescribeKey, GenerateDataKey, Decrypt,
to monitor KMS operations called by Amazon WorkSpaces Thin Client to access data encrypted by your customer managed key:
In the following examples, you can see encryptionContext for the
WorkSpaces Thin Client Environment. Similar CloudTrail events are recorded for the WorkSpaces Thin Client
Device.
Learn More
The following resources provide more information about data encryption at rest:
For more information about AWS Key Management Service basic concepts, see the AWS Key Management Service Developer Guide.
For more information about Security best practices for AWS Key Management Service, see the AWS Key Management Service Developer Guide.
