turbot/ibm_compliance

Control: 2.2.1.1 Ensure Block Storage is encrypted with customer managed keys

Description

Users can store objects in IBM Cloud Object Storage buckets by providing their own encryption keys which get applied at a per object level.

Remediation

Using API/CLI

Use of Server-Side Encryption with Customer-Provided Keys (SSE-C) can be validated by the following steps:

Note: Ensure that you have completed the configuration setup to use the CLI by following the guidelines on the Using the AWS CLI page

  1. Review the metadata of the object that is encrypted using the customer-provided key. The operation can be performed using an API call or via a command-line interface. Here is an example call to get the object metadata:
aws --endpoint https://s3.private.au-syd.cloud-objectstorage.appdomain.cloud s3api head-object --bucket <bucket-name> --key
<object-name> --sse-customer-algorithm=AES256 --sse-customerkey=<customer-key-used-to encrypt-the-object>
  1. The presence of the object headers SSECustomerKeyMD5 and SSECustomerAlgorithm from the API/CLI response should confirm that the object is encrypted using the key.

Usage

Run the control in your terminal:

powerpipe control run ibm_compliance.control.cis_v100_2_2_1_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run ibm_compliance.control.cis_v100_2_2_1_1 --share

SQL

This control uses a named query:

manual_control

Tags