Skip to main content

lacework-global-708

4.1.2 Encrypt Object Storage Buckets with a Customer Managed Key (CMK) (Automated)

Description

Oracle Object Storage buckets support encryption with a Customer Managed Key (CMK). Object Storage buckets are by default encrypted with an Oracle managed key.

Remediation

From Console:

  1. Login to OCI Console.

  2. Select Storage from the Services menu.

  3. Select Buckets from under the Object Storage & Archive Storage section.

  4. Click an individual bucket under the Name heading.

  5. Click Assign next to Encryption Key: Oracle managed key.

  6. Select a Vault.

  7. Select a Master Encryption Key.

  8. Click Assign.

From CLI:

  1. Execute the following command:

    oci os bucket update --bucket-name <bucket-name> --kms-key-id <master-encryption-key-id>

Impact:

Encrypting with a Customer Managed Keys requires a Vault and a Customer Master Key. In addition, you must authorize Object Storage service to use keys on your behalf.

Required Policy:

Allow service objectstorage-<region_name>, to use keys in compartment <compartment-id> where target.key.id = <key_ocid>

References

https://docs.oracle.com/en-us/iaas/cloud-guard/using/detect-recipes.htm#detect-recipes-ref-config__BUCKET_ENCRYPTED_WITH_ORACLE_MANAGED_KEY
https://docs.oracle.com/en/solutions/oci-best-practices/protect-data-rest1.html#GUID-9C0F713E-4C67-43C6-80CA-525A6AB221F1
https://docs.oracle.com/en-us/iaas/Content/Object/Tasks/encryption.htm

Last updated on