Skip to main content

lacework-global-710

4.2.1 Encrypt Block Volumes with Customer Managed Keys (CMK) (Automated)

Description

Oracle Cloud Infrastructure Block Volume service lets you dynamically provision and manage block storage volumes. By default, the Oracle service manages the keys that encrypt block volumes. It is also possible to encrypt Block Volumes using a customer managed key.

It is not possible to recover terminated Block Volumes, and any data on a terminated volume is permanently lost. However, Block Volumes can exist in a terminated state within the OCI Portal and CLI for some time after deleting. As such, this policy does not assess any Block Volumes in this state.

Remediation

From Console:

  1. Login to the OCI Console.

  2. Click the search bar at the top of the screen.

  3. Type 'Advanced Resource Query' and press return.

  4. Click 'Advanced resource query'.

  5. Enter the following query in the query box:

    query volume resources

  6. Click Search.

  7. For each block volume returned, click the link under Display name.

  8. If the value for Encryption Key is 'Oracle-managed key', click Assign next to 'Oracle-managed key'.

  9. Select a Vault Compartment and Vault.

  10. Select a Master Encryption Key Compartment and Master Encryption Key.

  11. Click Assign.

From CLI:

  1. Execute the following command:

    for region in $(oci iam region list | jq -r '.data[] | .name')
    do
      echo "Enumerating region $region"
      for compid in $(oci iam compartment list --include-root --compartment-id-in-subtree TRUE 2>/dev/null | jq -r '.data[] | .id')
      do
        echo "Enumerating compartment $compid"
        for blockVolumeId in $(oci bv volume list --compartment-id $compartmentId --region $region 2>/dev/null | jq -r '.data[] | select(."kms-key-id" == null).id')
        do
          output=$(oci bv volume get --volume-id $blockVolumeId --region $region --query=data.{"name:\"display-name\","id:id""} --output table 2>/dev/null)
          if [ ! -z "$output" ]; then echo $output; fi
        done
      done
    done

  2. For each boot volume identified, get the Oracle Cloud Identifier (OCID).

  3. Execute the following command:

    oci bv volume-kms-key update -volume-id <volume OCID> --kms-key-id <kms key OCID>

Impact:

Encrypting with a Customer Managed Key requires a Vault and a Customer Master Key. In addition, you must authorize the Block Volume service to use the keys you create.

Required Identity and Access Management (IAM) Policy:

Allow service blockstorage to use keys in compartment <compartment-id> where target.key.id = '<key_ocid>'

References

https://docs.oracle.com/en-us/iaas/cloud-guard/using/detect-recipes.htm#detect-recipes-ref-config__BLOCK_VOLUME_ENCRYPTED_WITH_ORACLE_MANAGED_KEY
https://docs.oracle.com/en/solutions/oci-best-practices/protect-data-rest1.html#GUID-BA1F5A20-8C78-49E3-8183-927F0CC6F6CC
https://docs.oracle.com/en-us/iaas/Content/Block/Concepts/overview.htm

Last updated on