Control: 5.1.2 Ensure Object Storage Buckets are encrypted with a Customer Managed Key

Description

Oracle Object Storage buckets support encryption with a Customer Managed Key (CMK). By default, Object Storage buckets are encrypted with an Oracle managed key.

Encryption of Object Storage buckets with a Customer Managed Key (CMK) provides an additional level of security on your data by allowing you to manage your own encryption key lifecycle management for the bucket.

Remediation

From Console

Go to https://cloud.oracle.com/object-storage/buckets.
Click on an individual bucket under the Name heading.
Click Assign next to Encryption Key: Oracle managed key.
Select a Vault.
Select a Master Encryption Key.
Click Assign.

From CLI

Execute the following command:

oci os bucket update --bucket-name <bucket-name> --kms-key-id <master-encryption-key-id>

Default Value

Oracle Managed Key for Encryption.

Usage

Run the control in your terminal:

powerpipe control run oci_compliance.control.cis_v200_5_1_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run oci_compliance.control.cis_v200_5_1_2 --share

SQL

This control uses a named query:

select
  a.id as resource,
  case
    when kms_key_id is not null and kms_key_id <> '' then 'ok'
    else 'alarm'
  end as status,
  case
    when kms_key_id is not null and kms_key_id <> '' then a.title || ' encrypted with CMK.'
    else a.title || ' not encrypted with CMK.'
  end as reason
  
  , a.region as region, a.tenant_name as tenant
  , coalesce(c.name, 'root') as compartment
from
  oci_objectstorage_bucket as a
  left join oci_identity_compartment as c on c.id = a.compartment_id;