v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/alicloud_compliance
Overview
1Dashboards
78Controls
40Queries
2Variables
GitHub

Control: 5.9 Ensure server-side encryption is set to 'Encrypt with BYOK'

Description

Enable server-side encryption (Encrypt with Service Key) for objects.

Remediation

From Console

Perform the following to configure the OSS bucket to use SSE-KMS:

  1. Logon to OSS console.
  2. In the bucket-list pane, click on the target OSS bucket.
  3. Click Basic Setting in top middle of the console.
  4. Under the Server-side Encryption section, click on Configure.
  5. Click KMS and select KMS service key(alias/acs/oss).

Usage

Run the control in your terminal:

powerpipe control run alicloud_compliance.control.cis_v100_5_9

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run alicloud_compliance.control.cis_v100_5_9 --share

SQL

This control uses a named query:

oss_bucket_encrypted_with_byok

Tags

category = Compliance
cis = true
cis_item_id = 5.9
cis_level = 2
cis_section_id = 5
cis_type = manual
cis_version = v1.0.0
plugin = alicloud
service = AliCloud/OSS