v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/ibm_compliance
Overview
1Dashboards
67Controls
20Queries
0Variables
GitHub

Control: 2.2.3 Ensure 'Data disks' are encrypted with customer managed keys

Description

By default, IBM Cloud Block Storage provides provider-managed encryption for all data. For enhanced security, customers can bring their own encryption keys and manage them through IBM Key Management Services – Key Protect or Hyper Protect Crypto Services (HPCS). Provider-managed encryption is turned on by default and cannot be turned off.

Remediation

You will not be able to change encryption option once data is already written to a Cloud Block Storage Volume. In order to ensure that objects are encrypted using customer managed keys you will need to create a new Cloud Block Storage volume, set it to use either Key Protect or Hyper Protect key management service and then upload/copy the existing objects to this new volume.

Usage

Run the control in your terminal:

powerpipe control run ibm_compliance.control.cis_v100_2_2_3

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run ibm_compliance.control.cis_v100_2_2_3 --share

SQL

This control uses a named query:

manual_control

Tags

category = Compliance
cis = true
cis_item_id = 2.2.3
cis_level = 2
cis_section_id = 2.2
cis_type = manual
cis_version = v1.0.0
plugin = ibm
service = IBM/BlockStorage