Control: 2.1.1.2 Ensure Cloud Object Storage Encryption is set to On with BYOK

Description

You can use IBM Cloud encryption key management service, for example Key Protect, to bring your own root key (BYOK) to IBM Cloud and use it to add envelope encryption for data that is stored in IBM Cloud Object Storage buckets.

Remediation

From Console

You will not be able to add Key Protect as the key management service once data is already written to a Cloud Object Storage bucket. In order to ensure that objects are encrypted using Key Protect root keys you will need to create a new Cloud Object Storage bucket, set it to use Key Protect key management service and then upload/copy the existing objects to this new bucket.

Usage

Run the control in your terminal:

powerpipe control run ibm_compliance.control.cis_v100_2_1_1_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run ibm_compliance.control.cis_v100_2_1_1_2 --share

SQL

This control uses a named query:

object_storage_bucket_with_key_protect_enabled

Control: 2.1.1.2 Ensure Cloud Object Storage Encryption is set to On with BYOK

Description

Remediation

From Console

Usage

SQL

Tags