lacework-global-708
4.1.2 Encrypt Object Storage Buckets with a Customer Managed Key (CMK) (Automated)
Description
Oracle Object Storage buckets support encryption with a Customer Managed Key (CMK). Object Storage buckets are by default encrypted with an Oracle managed key.
Remediation
From Console:
Login to OCI Console.
Select Storage from the Services menu.
Select Buckets from under the Object Storage & Archive Storage section.
Click an individual bucket under the Name heading.
Click Assign next to Encryption Key: Oracle managed key.
Select a Vault.
Select a Master Encryption Key.
Click Assign.
From CLI:
Execute the following command:
oci os bucket update --bucket-name <bucket-name> --kms-key-id <master-encryption-key-id>
Impact:
Encrypting with a Customer Managed Keys requires a Vault and a Customer Master Key. In addition, you must authorize Object Storage service to use keys on your behalf.
Required Policy:
Allow service objectstorage-<region_name>
, to use keys in compartment <compartment-id>
where target.key.id = <key_ocid>
References
https://docs.oracle.com/en-us/iaas/cloud-guard/using/detect-recipes.htm#detect-recipes-ref-config__BUCKET_ENCRYPTED_WITH_ORACLE_MANAGED_KEY
https://docs.oracle.com/en/solutions/oci-best-practices/protect-data-rest1.html#GUID-9C0F713E-4C67-43C6-80CA-525A6AB221F1
https://docs.oracle.com/en-us/iaas/Content/Object/Tasks/encryption.htm