Steampipe mods are now Powerpipe →
Powerpipe Hub 
Hub
Mods
turbot/ibm_compliance
Overview
1Dashboards
67Controls
20Queries
0Variables
GitHub
Loading controls...

Control: 2.1.1.1 Ensure Cloud Object Storage encryption is done with customer managed keys

Description

Users can store objects in IBM Cloud Object Storage buckets by providing their own encryption keys which get applied at a per object level.

Remediation

Using API/CLI

Use of Server-Side Encryption with Customer-Provided Keys (SSE-C) can be validated by the following steps:

Note: Ensure that you have completed the configuration setup to use the CLI by following the guidelines on the Using the AWS CLI page

  1. Review the metadata of the object that is encrypted using the customer-provided key. The operation can be performed using an API call or via a command-line interface. Here is an example call to get the object metadata:
aws --endpoint https://s3.private.au-syd.cloud-objectstorage.appdomain.cloud s3api head-object --bucket <bucket-name> --key
<object-name> --sse-customer-algorithm=AES256 --sse-customerkey=<customer-key-used-to encrypt-the-object>
  1. The presence of the object headers SSECustomerKeyMD5 and SSECustomerAlgorithm from the API/CLI response should confirm that the object is encrypted using the key.

Usage

Run the control in your terminal:

powerpipe control run ibm_compliance.control.cis_v100_2_1_1_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run ibm_compliance.control.cis_v100_2_1_1_1 --share

SQL

This control uses a named query:

object_storage_bucket_with_cmk

Tags

category = Compliance
cis = true
cis_item_id = 2.1.1.1
cis_level = 1
cis_section_id = 2.1.1
cis_type = manual
cis_version = v1.0.0
plugin = ibm
service = IBM/Storage