Control: 3.3 Ensure In-transit Encryption is enabled on Compute Instance

Description

The Block Volume service provides the option to enable in-transit encryption for paravirtualized volume attachments on virtual machine (VM) instances.

All the data moving between the instance and the block volume is transferred over an internal and highly secure network. If you have specific compliance requirements related to the encryption of the data while it is moving between the instance and the block volume, you should enable the in-transit encryption option.

Remediation

From Console

Navigate to https://cloud.oracle.com/compute/instances.
Select the instance from the Audit Procedure.
Click Terminate.
Determine whether or not to permanently delete instance's attached boot volume.
Click Terminate instance.
Click on Create Instance.
Fill in the details as per requirements.
In the Boot volume section ensure Use in-transit encryption is checked.
Fill in the rest of the details as per requirements.
Click Create.

Default Value

Enabled.

Usage

Run the control in your terminal:

powerpipe control run oci_compliance.control.cis_v200_3_3

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run oci_compliance.control.cis_v200_3_3 --share

SQL

This control uses a named query:

select
  i.id as resource,
  case
    when (launch_options -> 'isPvEncryptionInTransitEnabled')::bool then 'ok'
    else 'alarm'
  end as status,
  case
    when (launch_options -> 'isPvEncryptionInTransitEnabled')::bool then i.title || ' encryption in transit enabled.'
    else i.title || ' encryption in transit disabled.'
  end as reason
  
  , i.region as region, i.tenant_name as tenant
  , coalesce(c.name, 'root') as compartment
from
  oci_core_instance as i
  left join oci_identity_compartment as c on c.id = i.compartment_id;