Control: 2.1.1.1 Ensure Cloud Object Storage encryption is done with customer managed keys
Description
Users can store objects in IBM Cloud Object Storage buckets by providing their own encryption keys which get applied at a per object level.
Remediation
Using API/CLI
Use of Server-Side Encryption with Customer-Provided Keys (SSE-C) can be validated by the following steps:
Note: Ensure that you have completed the configuration setup to use the CLI by following the guidelines on the Using the AWS CLI page
- Review the metadata of the object that is encrypted using the customer-provided key. The operation can be performed using an API call or via a command-line interface. Here is an example call to get the object metadata:
aws --endpoint https://s3.private.au-syd.cloud-objectstorage.appdomain.cloud s3api head-object --bucket <bucket-name> --key<object-name> --sse-customer-algorithm=AES256 --sse-customerkey=<customer-key-used-to encrypt-the-object>
- The presence of the object headers SSECustomerKeyMD5 and SSECustomerAlgorithm from the API/CLI response should confirm that the object is encrypted using the key.
Usage
Run the control in your terminal:
powerpipe control run ibm_compliance.control.cis_v100_2_1_1_1Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run ibm_compliance.control.cis_v100_2_1_1_1 --shareSQL
This control uses a named query:
select title as resource, case when sse_kp_customer_root_key_crn != '<null>' then 'ok' else 'alarm' end as status, case when sse_kp_customer_root_key_crn != '<null>' then title || ' configured with CMK.' else title || ' not configured with CMK.' end as reason, region, acc.guid as account_idfrom ibm_cos_bucket, ibm_account as acc;