lacework-global-708
Encrypt Object Storage Buckets with a Customer Managed Key (CMK) (Automated)
Description
Oracle Object Storage buckets support encryption with a Customer Managed Key (CMK). Object Storage buckets are by default encrypted with an Oracle managed key.
Remediation
From Console:
- Login to OCI Console.
- Select Storage from the Services menu.
- Select Buckets from under the Object Storage & Archive Storage section.
- Click an individual bucket under the Name heading.
- Click Assign next to Encryption Key: Oracle managed key.
- Select a Vault.
- Select a Master Encryption Key.
- Click Assign.
From CLI:
- Execute the following command:
oci os bucket update --bucket-name <bucket-name> --kms-key-id <master-encryption-key-id>
Impact:
Encrypting with a Customer Managed Keys requires a Vault and a Customer Master Key. In addition, you must authorize Object Storage service to use keys on your behalf.
Required Policy:
Allow service objectstorage-<region_name>
, to use keys in compartment <compartment-id>
where target.key.id = <key_ocid>
References
https://docs.oracle.com/en-us/iaas/cloud-guard/using/detect-recipes.htm#detect-recipes-ref-config__BUCKET_ENCRYPTED_WITH_ORACLE_MANAGED_KEY
https://docs.oracle.com/en/solutions/oci-best-practices/protect-data-rest1.html#GUID-9C0F713E-4C67-43C6-80CA-525A6AB221F1
https://docs.oracle.com/en-us/iaas/Content/Object/Tasks/encryption.htm