🚀Launch Week 04, May 13th - 17th, 2024!🚀
Powerpipe Hub 
Hub
Mods
turbot/oci_compliance
Overview
3Dashboards
133Controls
43Queries
2Variables
GitHub
Loading controls...

Control: 3.16 Ensure customer created Customer Managed Key (CMK) is rotated at least annually

Description

Oracle Cloud Infrastructure Vault securely stores master encryption keys that protect your your encrypted data. You can use the Vault service to rotate keys to generate new cryptographic material. Periodically rotating keys limits the amount of data encrypted by one key version.

Remediation

From Console

  1. Login to OCI Console.
  2. Select Security from the Services menu.
  3. Select Vault from the Security menu.
  4. Click on the individual Vault under the Name heading.
  5. Click on the menu next to the time created.
  6. Click Rotate Key.

From Command Line

  1. Execute the following:
oci kms management key rotate --key-id <target_key_id> --endpoint <control_plane_url>

Usage

Run the control in your terminal:

powerpipe control run oci_compliance.control.cis_v110_3_16

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run oci_compliance.control.cis_v110_3_16 --share

SQL

This control uses a named query:

kms_cmk_rotation_365

Tags

category = Compliance
cis = true
cis_item_id = 3.16
cis_level = 1
cis_section_id = 3
cis_type = manual
cis_version = v1.1.0
plugin = oci
service = OCI/KMS