-
Notifications
You must be signed in to change notification settings - Fork 52
/
workspaces.sp
37 lines (34 loc) · 1.38 KB
/
workspaces.sp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
locals {
conformance_pack_workspaces_common_tags = merge(local.aws_compliance_common_tags, {
service = "AWS/WorkSpaces"
})
}
control "workspaces_workspace_volume_encryption_enabled" {
title = "WorkSpaces root and user volume encryption should be enabled"
description = "To help protect data at rest, ensure encryption is enabled for your WorkSpaces root and user volumes."
query = query.workspaces_workspace_volume_encryption_enabled
tags = local.conformance_pack_workspaces_common_tags
}
query "workspaces_workspace_volume_encryption_enabled" {
sql = <<-EOQ
select
arn as resource,
case
when user_volume_encryption_enabled and root_volume_encryption_enabled then 'ok'
else 'alarm'
end as status,
case
when user_volume_encryption_enabled and root_volume_encryption_enabled then title || ' user and root volume encryption enabled.'
else
case
when not user_volume_encryption_enabled and not root_volume_encryption_enabled then title || ' user and root volume encryption disabled.'
when not root_volume_encryption_enabled then title || ' root volume encryption disabled.'
else title || ' user volume encryption disabled.'
end
end as reason
${local.tag_dimensions_sql}
${local.common_dimensions_sql}
from
aws_workspaces_workspace;
EOQ
}