Ensure OCI Compute Instance boot volume has in-transit data encryption enabled
Error: OCI Compute Instance boot volume has in-transit data encryption is disabled
Bridgecrew Policy ID: BC_OCI_COMPUTE_1
Checkov Check ID: CKV_OCI_4
Severity: HIGH
OCI Compute Instance boot volume has in-transit data encryption is disabled
Description
This policy identifies the OCI Compute Instances that are configured with disabled in-transit data encryption boot or block volumes. It is recommended that Compute Instance boot or block volumes should be configured with in-transit data encryption to minimize risk for sensitive data being leaked.
Fix - Runtime
OCI Console
- Login to the OCI Console
- Type the resource reported in the alert into the Search box at the top of the Console.
- Click the resource reported in the alert from the Resources submenu
- Click Edit
- Click on Show Advanced Options
- Select USE IN-TRANSIT ENCRYPTION
- Click Save Changes
Note : To update the instance properties, the instance must be rebooted.
Fix - Buildtime
Terraform
- Resource: oci_core_instance
- Arguments: is_pv_encryption_in_transit_enabled
resource "oci_core_instance" "pass" {
...
}
ipxe_script = var.instance_ipxe_script
is_pv_encryption_in_transit_enabled = var.instance_is_pv_encryption_in_transit_enabled
launch_options {
boot_volume_type = var.instance_launch_options_boot_volume_type
firmware = var.instance_launch_options_firmware
is_consistent_volume_naming_enabled = var.instance_launch_options_is_consistent_volume_naming_enabled
is_pv_encryption_in_transit_enabled = true
network_type = var.instance_launch_options_network_type
remote_data_volume_type = var.instance_launch_options_remote_data_volume_type
}
...
}
Updated 6 months ago