v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/oci_compliance
Overview
3Dashboards
133Controls
43Queries
2Variables
GitHub

Control: 4.1.2 Ensure Object Storage Buckets are encrypted with a Customer Managed Key

Description

Oracle Object Storage buckets support encryption with a Customer Managed Key (CMK). By default, Object Storage buckets are encrypted with an Oracle managed key. Encryption of storage buckets provides an additional level of security on your data. Management of encryption keys is critical to protecting and accessing protected data. Some customers want to identify storage buckets encrypted Oracle-managed keys in order to apply their own key lifecycle management to the bucket.

Remediation

From Console

  1. Login to OCI Console.
  2. Select Object Storage from the Services menu.
  3. Select Object Storage from the Object Storage menu.
  4. Click on an individual bucket under the Name heading.
  5. Click Assign next to Encryption Key: Oracle managed key.
  6. Select a Vault.
  7. Select a Master Encryption Key.
  8. Click Assign.

From Command Line

Execute the following command:

oci os bucket update --bucket-name <bucket-name> --kms-key-id <masterencryption-key-id>

Usage

Run the control in your terminal:

powerpipe control run oci_compliance.control.cis_v120_4_1_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run oci_compliance.control.cis_v120_4_1_2 --share

SQL

This control uses a named query:

objectstorage_bucket_cmk_encryption_enabled

Tags

category = Compliance
cis = true
cis_item_id = 4.1.2
cis_level = 1
cis_section_id = 4.1
cis_type = manual
cis_version = v1.2.0
plugin = oci
service = OCI/ObjectStorage