Control: 2.1.1.1 Ensure Cloud Object Storage encryption is done with customer managed keys
Description
Users can store objects in IBM Cloud Object Storage buckets by providing their own encryption keys which get applied at a per object level.
Remediation
Using API/CLI
Use of Server-Side Encryption with Customer-Provided Keys (SSE-C) can be validated by the following steps:
Note: Ensure that you have completed the configuration setup to use the CLI by following the guidelines on the Using the AWS CLI page
- Review the metadata of the object that is encrypted using the customer-provided key. The operation can be performed using an API call or via a command-line interface. Here is an example call to get the object metadata:
aws --endpoint https://s3.private.au-syd.cloud-objectstorage.appdomain.cloud s3api head-object --bucket <bucket-name> --key<object-name> --sse-customer-algorithm=AES256 --sse-customerkey=<customer-key-used-to encrypt-the-object>
- The presence of the object headers SSECustomerKeyMD5 and SSECustomerAlgorithm from the API/CLI response should confirm that the object is encrypted using the key.
Usage
Run the control in your terminal:
powerpipe control run ibm_compliance.control.cis_v100_2_1_1_1
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run ibm_compliance.control.cis_v100_2_1_1_1 --share
SQL
This control uses a named query:
object_storage_bucket_with_cmk