Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-oci-compliance
Overview
3Dashboards
133Benchmarks
43Queries
2Variables
GitHub

Control: 4.2.2 Ensure boot volumes are encrypted with Customer Managed Key (CMK)

Description

When you launch a virtual machine (VM) or bare metal instance based on a platform image or custom image, a new boot volume for the instance is created in the same compartment. That boot volume is associated with that instance until you terminate the instance. By default, the Oracle service manages the keys that encrypt this boot volume. Boot Volumes can also be encrypted using a customer managed key.

Remediation

From Console

  1. Login to OCI Console.
  2. Click in the search bar, top of the screen.
  3. Type Advanced Resource Query and click enter.
  4. Click the Advanced Resource Query button in the upper right of the screen.
  5. Enter the following query in the query box:
query bootvolume resources
  1. For each boot volume returned click on the link under Display name.
  2. Ensure Encryption Key does not say Oracle managed key.
  3. Repeat for other subscribed regions.
  4. For each Boot Volume in the returned results, click the Boot Volume name.
  5. Click Assign next to Encryption Key.
  6. Select the Vault Compartment and Vault.
  7. Select the Master Encryption Key Compartment and Master Encryption key.
  8. Click Assign.

From Command Line

  1. Execute the following command:
for region in `oci iam region list | jq -r '.data[] | .name'`;
  do
  for bvid in `oci search resource structured-search --region $region -- query-text "query bootvolume resources" 2>/dev/null | jq -r '.data.items[] | .identifier'`
    do
    output=`oci bv boot-volume get --boot-volume-id $bvid 2>/dev/null
    | jq -r '.data | select(."kms-key-id" == null).id'`
    if [ ! -z "$output" ]; then echo $output; fi
    done
  done
  1. Ensure query returns no results.
  2. For each boot volume identified get its OCID. Execute the following command:
oci os bucket update --bucket-name <bucket-name> --kms-key-id <masterencryption-key-id>

Usage

Run the control in your terminal:

powerpipe control run oci_compliance.control.cis_v120_4_2_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run oci_compliance.control.cis_v120_4_2_2 --share

SQL

This control uses a named query:

select
  v.id as resource,
  case
    when kms_key_id is not null and kms_key_id <> '' then 'ok'
    else 'alarm'
  end as status,
  case
    when kms_key_id is not null and kms_key_id <> '' then v.title || ' encrypted with CMK.'
    else v.title || ' not encrypted with CMK.'
  end as reason
  
  , v.region as region, v.tenant_name as tenant
  , coalesce(c.name, 'root') as compartment
from
  oci_core_boot_volume as v
  left join oci_identity_compartment as c on c.id = v.compartment_id;

Tags

category = Compliance
cis = true
cis_item_id = 4.2.2
cis_level = 1
cis_section_id = 4.1
cis_type = manual
cis_version = v1.2.0
plugin = oci
service = OCI/ObjectStorage