🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-alicloud-compliance
Overview
1Dashboards
78Benchmarks
40Queries
2Variables
GitHub

Control: 5.8 Ensure server-side encryption is set to 'Encrypt with Service Key'

Description

Enable server-side encryption (Encrypt with Service Key) for objects.

Remediation

From Console

Perform the following to configure the OSS bucket to use SSE-KMS:

  1. Logon to OSS console.
  2. In the bucket-list pane, click on the target OSS bucket.
  3. Click Basic Setting in top middle of the console.
  4. Under the Server-side Encryption section, click on Configure.
  5. Click KMS and select KMS service key(alias/acs/oss).

Usage

Run the control in your terminal:

powerpipe control run alicloud_compliance.control.cis_v100_5_8

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run alicloud_compliance.control.cis_v100_5_8 --share

SQL

This control uses a named query:

select
  'acs:oss:::' || b.name as resource,
  case
    when server_side_encryption ->> 'SSEAlgorithm' = 'KMS' and k.creator = 'Oss' then 'ok'
    else 'alarm'
  end as status,
  case
    when server_side_encryption ->> 'SSEAlgorithm' = 'KMS' and k.creator = 'Oss' then b.title || ' encrypted with Service Key.'
    else b.title || ' not encrypted with Service Key.'
  end as reason
  
  , b.account_id as account_id, b.region as region
from
  alicloud_oss_bucket b
  left join alicloud_kms_key k on b.server_side_encryption ->> 'KMSMasterKeyID' = k.key_id;

Tags

category = Compliance
cis = true
cis_item_id = 5.8
cis_level = 2
cis_section_id = 5
cis_type = manual
cis_version = v1.0.0
plugin = alicloud
service = AliCloud/OSS