turbot/ibm_compliance

Control: 2.1.1.3 Ensure Cloud Object Storage Encryption is set to On with KYOK

Description

You can use IBM Cloud encryption key management services, for example, Hyper Protect Crypto Services to keep and manage exclusive control over the root keys used to add envelop encryption for data that is stored in IBM Cloud Object Storage buckets.

Remediation

You will not be able to add Hyper Protect Crypto Services as the key management service once data is already written to a Cloud Object Storage bucket. In order to ensure that objects are encrypted using Hyper Protect Crypto Services root keys you will need to create a new Cloud Object Storage bucket, set it to use Hyper Protect Crypto Services key management service and then upload/copy the existing objects to this new bucket.

Usage

Run the control in your terminal:

powerpipe control run ibm_compliance.control.cis_v100_2_1_1_3

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run ibm_compliance.control.cis_v100_2_1_1_3 --share

SQL

This control uses a named query:

object_storage_bucket_with_key_protect_enabled

Tags