Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-oci-compliance
Overview
3Dashboards
133Benchmarks
43Queries
2Variables
GitHub

Control: 5.2.1 Ensure Block Volumes are encrypted with Customer Managed Keys (CMK)

Description

Oracle Cloud Infrastructure Block Volume service lets you dynamically provision and manage block storage volumes. By default, the Oracle service manages the keys that encrypt block volumes. Block Volumes can also be encrypted using a customer managed key.

Terminated Block Volumes cannot be recovered and any data on a terminated volume is permanently lost. However, Block Volumes can exist in a terminated state within the OCI Portal and CLI for some time after deleting. As such, any Block Volumes in this state should not be considered when assessing this policy.

Encryption of block volumes provides an additional level of security for your data. Management of encryption keys is critical to protecting and accessing protected data. Customers should identify block volumes encrypted with Oracle service managed keys in order to determine if they want to manage the keys for certain volumes and then apply their own key lifecycle management to the selected block volumes.

Remediation

From Console

  1. Follow the audit procedure above.
  2. For each block volume returned, click the link under Display name.
  3. If the value for Encryption Key is Oracle-managed key, click Assign next to Oracle-managed key.
  4. Select a Vault Compartment and Vault.
  5. Select a Master Encryption Key Compartment and Master Encryption key.
  6. Click Assign.

From CLI

  1. Follow the audit procedure.
  2. For each boot volume identified, get the OCID.
  3. Execute the following command:
oci bv volume-kms-key update –volume-id <volume OCID> --kms-key-id <kms keyOCID>

Usage

Run the control in your terminal:

powerpipe control run oci_compliance.control.cis_v200_5_2_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run oci_compliance.control.cis_v200_5_2_1 --share

SQL

This control uses a named query:

select
  v.id as resource,
  case
    when kms_key_id is not null and kms_key_id <> '' then 'ok'
    else 'alarm'
  end as status,
  case
    when kms_key_id is not null and kms_key_id <> '' then v.title || ' encrypted with CMK.'
    else v.title || ' not encrypted with CMK.'
  end as reason
  
  , v.region as region, v.tenant_name as tenant
  , coalesce(c.name, 'root') as compartment
from
  oci_core_volume as v
  left join oci_identity_compartment as c on c.id = v.compartment_id;

Tags

category = Compliance
cis = true
cis_item_id = 5.2.1
cis_level = 2
cis_section_id = 5.2
cis_type = automated
cis_version = v2.0.0
plugin = oci
service = OCI/BlockVolume