Ensure OCI Block Storage Block Volumes are encrypted with a Customer Managed Key (CMK)

Error: OCI Block Storage Block Volumes are not encrypted with a Customer Managed
Key (CMK)

Bridgecrew Policy ID: BC_OCI_Storage_2
Checkov Check ID: CKV_OCI_3
Severity: HIGH

OCI Block Storage Block Volumes are not encrypted with a Customer Managed Key(CMK)

Description

This policy identifies the OCI Block Storage Volumes that are not encrypted with a Customer Managed Key (CMK). It is recommended that Block Storage Volumes should be encrypted with a Customer Managed Key (CMK), using Customer Managed Key (CMK), provides an additional level of security on your data by allowing you to manage your own encryption key lifecycle management for the Block Storage Volume.

Fix - Runtime

OCI Console

  1. Login to the OCI Console
  2. Type the resource reported in the alert into the Search box at the top of the Console.
  3. Click the resource reported in the alert from the Resources submenu
  4. Click Assign next to Encryption Key: Oracle managed key.
  5. Select a Vault from the appropriate compartment
  6. Select a Master Encryption Key
  7. Click Assign

Fix - Buildtime

Terraform

  • Resource: oci_core_volum
  • Arguments: kms_key_id
resource "oci_core_volume" "pass" {
  #Required
  compartment_id = var.compartment_id
  availability_domain = var.volume_block_volume_replicas_availability_domain

  }
  defined_tags         = { "Operations.CostCenter" = "42" }
  display_name         = var.volume_display_name
  freeform_tags        = { "Department" = "Finance" }
  is_auto_tune_enabled = var.volume_is_auto_tune_enabled
  kms_key_id           = oci_kms_key.test_key.id
  size_in_gbs          = var.volume_size_in_gbs
  size_in_mbs          = var.volume_size_in_mbs
  source_details {
    #Required
    id   = var.volume_source_details_id
    type = var.volume_source_details_type
  }
}