Control: 18.104.22.168 Ensure Cloud Object Storage Encryption is set to On with BYOK
You can use IBM Cloud encryption key management service, for example Key Protect, to bring your own root key (BYOK) to IBM Cloud and use it to add envelope encryption for data that is stored in IBM Cloud Object Storage buckets.
You will not be able to add Key Protect as the key management service once data is already written to a Cloud Object Storage bucket. In order to ensure that objects are encrypted using Key Protect root keys you will need to create a new Cloud Object Storage bucket, set it to use Key Protect key management service and then upload/copy the existing objects to this new bucket.
Run the control in your terminal:
steampipe check ibm_compliance.control.cis_v100_2_1_1_2
Snapshot and share results via Steampipe Cloud:
steampipe loginsteampipe check --share ibm_compliance.control.cis_v100_2_1_1_2
This control uses a named query:object_storage_bucket_with_key_protect_enabled