v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/oci_compliance
Overview
3Dashboards
133Controls
43Queries
2Variables
GitHub

Control: 5.1.2 Ensure Object Storage Buckets are encrypted with a Customer Managed Key

Description

Oracle Object Storage buckets support encryption with a Customer Managed Key (CMK). By default, Object Storage buckets are encrypted with an Oracle managed key.

Encryption of Object Storage buckets with a Customer Managed Key (CMK) provides an additional level of security on your data by allowing you to manage your own encryption key lifecycle management for the bucket.

Remediation

From Console

  1. Go to https://cloud.oracle.com/object-storage/buckets.
  2. Click on an individual bucket under the Name heading.
  3. Click Assign next to Encryption Key: Oracle managed key.
  4. Select a Vault.
  5. Select a Master Encryption Key.
  6. Click Assign.

From CLI

  1. Execute the following command:
oci os bucket update --bucket-name <bucket-name> --kms-key-id <master-encryption-key-id>

Default Value

Oracle Managed Key for Encryption.

Usage

Run the control in your terminal:

powerpipe control run oci_compliance.control.cis_v200_5_1_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run oci_compliance.control.cis_v200_5_1_2 --share

SQL

This control uses a named query:

objectstorage_bucket_cmk_encryption_enabled

Tags

category = Compliance
cis = true
cis_item_id = 5.1.2
cis_level = 2
cis_section_id = 5.1
cis_type = automated
cis_version = v2.0.0
plugin = oci
service = OCI/ObjectStorage