Control: 4.1.2 Ensure Object Storage Buckets are encrypted with a Customer Managed Key

Description

Oracle Object Storage buckets support encryption with a Customer Managed Key (CMK). By default, Object Storage buckets are encrypted with an Oracle managed key. Encryption of storage buckets provides an additional level of security on your data. Management of encryption keys is critical to protecting and accessing protected data. Some customers want to identify storage buckets encrypted Oracle-managed keys in order to apply their own key lifecycle management to the bucket.

Remediation

From Console

Login to OCI Console.
Select Object Storage from the Services menu.
Select Object Storage from the Object Storage menu.
Click on an individual bucket under the Name heading.
Click Assign next to Encryption Key: Oracle managed key.
Select a Vault.
Select a Master Encryption Key.
Click Assign.

From Command Line

Execute the following command:

oci os bucket update --bucket-name <bucket-name> --kms-key-id <masterencryption-key-id>

Usage

Run the control in your terminal:

powerpipe control run oci_compliance.control.cis_v120_4_1_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run oci_compliance.control.cis_v120_4_1_2 --share

SQL

This control uses a named query:

select
  a.id as resource,
  case
    when kms_key_id is not null and kms_key_id <> '' then 'ok'
    else 'alarm'
  end as status,
  case
    when kms_key_id is not null and kms_key_id <> '' then a.title || ' encrypted with CMK.'
    else a.title || ' not encrypted with CMK.'
  end as reason
  
  , a.region as region, a.tenant_name as tenant
  , coalesce(c.name, 'root') as compartment
from
  oci_objectstorage_bucket as a
  left join oci_identity_compartment as c on c.id = a.compartment_id;