Control: 4.3.1 Ensure File Storage Systems are encrypted with Customer Managed Keys (CMK)

Description

Oracle Cloud Infrastructure File Storage service (FSS) provides a durable, scalable, secure, enterprise-grade network file system. By default, the Oracle service manages the keys that encrypt FSS file systems. FSS file systems can also be encrypted using a customer managed key.

Remediation

From Console

1. Login to OCI Console.
2. Click in the search bar, top of the screen.
3. Type Advanced Resource Query and click enter.
4. Click the Advanced Resource Query button in the upper right of the screen.
5. Enter the following query in the query box:

query filesystem resources

6. For each file storage system returned click on the link under Display name.
7. Ensure Encryption Key does not say Oracle-managed key.
8. Repeat for other subscribed regions.
9. For each File Storage System in the returned results, click the File System Storage.
10. Click Edit next to Encryption Key.
11. Select Encrypt using customer-managed keys.
12. Select the Vault Compartment and Vault.
13. Select the Master Encryption Key Compartment and Master Encryption key.
14. Click Save Changes.

From Command Line

1. Execute the following command:

for region in `oci iam region list | jq -r '.data[] | .name'`;
do
for fssid in `oci search resource structured-search --region $region - -query-text "query filesystem resources" 2>/dev/null | jq -r '.data.items[] | .identifier'`
  do
  output=`oci fs file-system get --file-system-id $fssid --region
  $region 2>/dev/null | jq -r '.data | select(."kms-key-id" == "").id'`
  if [ ! -z "$output" ]; then echo $output; fi
  done
done

2. Ensure query returns no results
3. For each File Storage System identified get its OCID. Execute the following command:

oci bv volume-kms-key update –volume-id <volume OCID> --kms-key-id <kms key OCID>