Control: 4.2.1 Ensure Block Volumes are encrypted with Customer Managed Keys (CMK)

Description

Oracle Cloud Infrastructure Block Volume service lets you dynamically provision and manage block storage volumes. By default, the Oracle service manages the keys that encrypt this block volume. Block Volumes can also be encrypted using a customer managed key.

Remediation

From Console

1. Login into the OCI Console.
2. Click in the search bar, top of the screen.
3. Type Advanced Resource Query and click enter.
4. Click the Advanced Resource Query button in the upper right of the screen.
5. Enter the following query in the query box:

query volume resources

6. For each block volume returned click on the link under Display name.
7. Ensure Encryption Key does not say Oracle managed key.
8. Repeat for other subscribed regions.
9. For each Block Volume in the returned results, click the Block Volume name.
10. Click Assign next to Encryption Key.
11. Select the Vault Compartment and Vault.
12. Select the Master Encryption Key Compartment and Master Encryption key.
13. Click Assign.

From Command Line

Execute the following command:

for region in `oci iam region list | jq -r '.data[] | .name'`;
  do
  for compid in `oci iam compartment list --compartment-id-in-subtree TRUE 2>/dev/null | jq -r '.data[] | .id'`
    do
    for bvid in `oci bv volume list --compartment-id $compid --region $region 2>/dev/null | jq -r '.data[] | select(."kms-key-id" == null).id'`
        do
        output=`oci bv volume get --volume-id $bvid --region $region --query=data.{"name:\"display-name\","id:id""} --output table 2>/dev/null`
        if [ ! -z "$output" ]; then echo $output; fi
        done
    done
  done

2. Ensure query returns no results,

3. For each boot volume identified get its OCID. Execute the following command.

oci bv volume-kms-key update –volume-id <volume OCID> --kms-key-id <kms key OCID>