Ensure OCI Compute Instance boot volume has in-transit data encryption enabled

Error: OCI Compute Instance boot volume has in-transit data encryption is disabled
Bridgecrew Policy ID: BC_OCI_COMPUTE_1
Checkov Check ID: CKV_OCI_4
Severity: HIGH

OCI Compute Instance boot volume has in-transit data encryption is disabled

Description

This policy identifies the OCI Compute Instances that are configured with disabled in-transit data encryption boot or block volumes. It is recommended that Compute Instance boot or block volumes should be configured with in-transit data encryption to minimize risk for sensitive data being leaked.

Fix - Runtime

OCI Console

  1. Login to the OCI Console
  2. Type the resource reported in the alert into the Search box at the top of the Console.
  3. Click the resource reported in the alert from the Resources submenu
  4. Click Edit
  5. Click on Show Advanced Options
  6. Select USE IN-TRANSIT ENCRYPTION
  7. Click Save Changes
    Note : To update the instance properties, the instance must be rebooted.

Fix - Buildtime

Terraform

  • Resource: oci_core_instance
  • Arguments: is_pv_encryption_in_transit_enabled
resource "oci_core_instance" "pass" {
...
 
  }
  ipxe_script                         = var.instance_ipxe_script
  is_pv_encryption_in_transit_enabled = var.instance_is_pv_encryption_in_transit_enabled

  launch_options {
    boot_volume_type                    = var.instance_launch_options_boot_volume_type
    firmware                            = var.instance_launch_options_firmware
    is_consistent_volume_naming_enabled = var.instance_launch_options_is_consistent_volume_naming_enabled
    is_pv_encryption_in_transit_enabled = true
    network_type                        = var.instance_launch_options_network_type
    remote_data_volume_type             = var.instance_launch_options_remote_data_volume_type
  }
...
}

Did this page help you?