AWS Security ChangesHomeSearch

AWS workspaces-core medium security documentation change

Service: workspaces-core · 2025-06-25 · Security-related medium

File: workspaces-core/latest/pg/shared-model.md

Summary

Clarified responsibility boundaries for Amazon WorkSpaces Core bundles vs Managed Instances, including encryption requirements and OS update responsibilities

Security assessment

The change explicitly shifts responsibility for encryption at rest and EBS volume encryption to customers for managed instances, emphasizing security requirements. It adds new documentation about mandatory encrypted EBS volumes for managed instances, which directly relates to data protection security controls.

Diff

diff --git a/workspaces-core/latest/pg/shared-model.md b/workspaces-core/latest/pg/shared-model.md
index ab9e5e19a..dfdf72782 100644
--- a//workspaces-core/latest/pg/shared-model.md
+++ b//workspaces-core/latest/pg/shared-model.md
@@ -30 +30 @@ The following responsibilities are shared between your company and Amazon WorkSp
-  * Amazon WorkSpaces image import.
+  * Amazon WorkSpaces image management for Amazon WorkSpaces Core bundles. However, customers are responsible for image managed for Amazon WorkSpaces Core Managed Instances.
@@ -43 +43 @@ The following responsibilities belong to Amazon WorkSpaces Core:
-  * Encryption at rest (which must be enabled). For more information, see [Encrypted WorkSpaces](https://docs.aws.amazon.com/workspaces/latest/adminguide/encrypt-workspaces.html) in the _Amazon WorkSpaces Administration Guide_.
+  * Encryption at rest (which must be enabled) for Amazon WorkSpaces Core bundles. For more information, see [Encrypted WorkSpaces](https://docs.aws.amazon.com/workspaces/latest/adminguide/encrypt-workspaces.html) in the _Amazon WorkSpaces Administration Guide_.
@@ -45 +45 @@ The following responsibilities belong to Amazon WorkSpaces Core:
-  * Resilience in Amazon WorkSpaces Core (except for cross-Region redirection).
+  * Resilience in Amazon WorkSpaces Core bundles (except for cross-Region redirection).
@@ -53 +53 @@ The following responsibilities belong to Amazon WorkSpaces Core:
-  * Windows operating system (OS) updates and security patches.
+  * Windows operating system (OS) updates and security patches for WorkSpaces Core bundles.
@@ -72 +72,3 @@ The following responsibilities belong to your company:
-  * AWS is responsible for patching and fixing flaws within the infrastructure, but customers are responsible for patching their guest OS and applications.
+  * Customers are responsible for Windows OS updates and security patches for WorkSpaces Core Managed Instances.
+
+  * Customers must provision and attach encrypted Amazon EBS volumes for Amazon WorkSpaces Core managed instances. For more information, refer to Encryption at Rest for EBS Storage. For more information, see [Data Protection in Amazon EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/data-protection.html#encryption-rest).
@@ -81,3 +83 @@ The following images show the shared responsibility model and shared responsibil
-![Shared responsibility model](/images/workspaces-core/latest/pg/images/shared1.png)
-
-![Shared responsibility with AWS and your partner](/images/workspaces-core/latest/pg/images/shared2.png)
+![Shared responsibility model](/images/workspaces-core/latest/pg/images/shared-core.png)