Ensure OCI Object Storage is encrypted with Customer Managed Key

Error: OCI Object Storage Bucket is not encrypted with a Customer Managed Key (CMK)
Bridgecrew Policy ID: BC_OCI_STORAGE_5
Checkov Check ID: CKV_OCI_9
Severity: HIGH

OCI Object Storage Bucket is not encrypted with a Customer Managed Key (CMK)

Description

This policy identifies the OCI Object Storage buckets that are not encrypted with a Customer Managed Key (CMK). It is recommended that Object Storage buckets should be encrypted with a Customer Managed Key (CMK), using Customer Managed Key (CMK), provides an additional level of security on your data by allowing you to manage your own encryption key lifecycle management for the bucket.

Fix - Runtime

OCI Console

  1. Login to the OCI Console
  2. Type the resource reported in the alert into the Search box at the top of the Console.
  3. Click the resource reported in the alert from the Resources submenu
  4. Click Assign next to Encryption Key: Oracle managed key.
  5. Select a Vault from the appropriate compartment
  6. Select a Master Encryption Key
  7. Click Assign

Fix - Buildtime

Terraform

  • Resource: oci_objectstorage_bucke
  • Arguments: kms_key_id
resource "oci_objectstorage_bucket" "pass" {
  ...
  kms_key_id            = var.oci_kms_key.id
  ...
}

Did this page help you?