Skip to main content

πŸ›‘οΈ Oracle Storage Bucket is not encrypted with a customer managed key🟒

  • Contextual name: πŸ›‘οΈ Storage Bucket is not encrypted with a customer managed key🟒
  • ID: /ce/ca/oracle/bucket/bucket-cmk-encryption
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logic​

Similar Policies​

  • Internal: dec-x-6664ebac

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-6664ebac1

Description​

Open File

Description​

This policy identifies Oracle Storage Buckets that are not encrypted with a customer managed key from OCI Vault.

Rationale​

Oracle Object Storage encrypts bucket data at rest by default. Using a customer managed key adds stronger governance over the encryption key that protects bucket objects. It allows the organization to manage key access, rotation, audit visibility, and revocation independently from the storage service.

Customer managed keys are recommended for buckets that store sensitive, regulated, or business-critical data because they support stricter separation of duties and key lifecycle controls than provider-managed encryption keys.

Impact​

Changing the encryption key affects how new and updated objects are encrypted. Before remediation, confirm that the target Vault key is enabled, available in the required region, and grants Object Storage the permissions needed to use the key. Disabling, deleting, or restricting the key can prevent access to encrypted objects.

Audit​

This policy flags an Oracle Storage Bucket as INCOMPLIANT when KMS Key OCID is empty.

... see more

Remediation​

Open File

Remediation​

Encrypt the Bucket with a Customer Managed Key​

Configure the affected Object Storage bucket to use a customer managed key from OCI Vault. Before applying the change, confirm that the target key is enabled and that Object Storage has permission to use it.

From Oracle Cloud Console​
  1. Navigate to https://cloud.oracle.com/object-storage/buckets.
  2. Click the affected bucket under the Name heading.
  3. Click Assign next to Encryption Key: Oracle managed key.
  4. Select the target Vault.
  5. Select the target master encryption key.
  6. Click Assign.
From OCI CLI​

For each affected bucket, run:

oci os bucket update \
    --namespace-name {{namespace-name}} \
    --bucket-name {{bucket-name}} \
    --kms-key-id {{kms-key-ocid}}

After remediation, verify that the bucket references the intended customer managed key:

oci os bucket get \
    --namespace-name {{namespace-name}} \
    --bucket-name {{bucket-name}} \
    --query "data.\"kms-key-id\""

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 52c appropriate encryption, cleansing and auditing of devices;1212no data
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 54 Cryptographic techniques can be used to control access to sensitive data, both in storage and in transit. The strength of the cryptographic techniques deployed would be commensurate with the sensitivity and criticality of the data as well as other supplementary or compensating controls (refer to Attachment E for further guidance).2324no data
πŸ’Ό CIS Oracle v3.1.0 β†’ πŸ’Ό 5.1.2 Ensure Object Storage Buckets are encrypted with a Customer Managed Key (CMK). - Level 2 (Automated)11no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Data Encryption65no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4(4) Flow Control of Encrypted Information (H)2829no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)1738no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)526no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)138no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)26no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)138no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)26no data
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.10.1.1 Policy on the use of cryptographic controls1920no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.33 Protection of records1116no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-5: Protections against data leaks are implemented5498no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected196no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected167no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected197no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(2) Information Flow Enforcement _ Processing Domains3335no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-28 Protection of Information at Rest31939no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-28(1) Protection of Information at Rest _ Cryptographic Protection1126no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 3.3.2 SAD that is stored electronically prior to completion of authorization is encrypted using strong cryptography.14no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 3.3.2 SAD that is stored electronically prior to completion of authorization is encrypted using strong cryptography.914no data