turbot/steampipe-mod-ibm-compliance

Benchmark: 7.1.1 Use a Key Management Service (KMS) provider to encrypt data in Kubernetes secrets

Description

Protect sensitive information in your IBM CloudTM Kubernetes Service cluster to ensure data integrity and to prevent your data from being exposed to unauthorized users.

Understanding Key Management Service (KMS) providers

You can protect the etcd component in your Kubernetes master and Kubernetes secrets by using a Kubernetes key management service (KMS) provider that encrypts secrets with encryption keys that you control.

Supported KMS providers

IBM Cloud Kubernetes Service supports the following KMS providers:

  1. IBM Key Protect for IBM CloudTM for public cloud or on-prem environments.
  2. Hyper Protect Crypto Services for keep your own key (KYOK) crypto unit support.

Because adding a different KMS provider requires updating the managed master default configuration, you cannot add other KMS providers to the cluster.

Usage

Install the mod:

mkdir dashboards
cd dashboards
powerpipe mod init
powerpipe mod install github.com/turbot/steampipe-mod-ibm-compliance

Start the Powerpipe server:

steampipe service start
powerpipe server

Open http://localhost:9033 in your browser and select 7.1.1 Use a Key Management Service (KMS) provider to encrypt data in Kubernetes secrets.

Run this benchmark in your terminal:

powerpipe benchmark run ibm_compliance.benchmark.cis_v100_7_1_1

Snapshot and share results via Turbot Pipes:

powerpipe benchmark run ibm_compliance.benchmark.cis_v100_7_1_1 --share

Controls

Tags