Skip to main content

πŸ›‘οΈ Oracle IAAS Block Volume is not encrypted with a customer managed key🟒

  • Contextual name: πŸ›‘οΈ IAAS Block Volume is not encrypted with a customer managed key🟒
  • ID: /ce/ca/oracle/compute/block-volume-cmk-encryption
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logic​

Similar Policies​

  • Internal: dec-x-ae60c87e

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-ae60c87e1

Description​

Open File

Description​

This policy identifies Oracle IAAS Block Volumes that are not encrypted with a customer managed key from OCI Vault.

Rationale​

Oracle Block Volume encrypts volume data at rest by default. Using a customer managed key adds stronger governance over the encryption key that protects block volume data. It allows the organization to manage key access, rotation, audit visibility, and revocation independently from the storage service.

Customer managed keys are recommended for block volumes that store sensitive, regulated, or business-critical data because they support stricter separation of duties and key lifecycle controls than provider-managed encryption keys.

Impact​

Changing the encryption key affects how the volume is protected and can impact workloads that depend on the volume. Before remediation, confirm that the target Vault key is enabled, available in the required region, and grants the Block Volume service the permissions needed to use it. Disabling, deleting, or restricting the key can prevent access to encrypted volume data.

... see more

Remediation​

Open File

Remediation​

Encrypt the Block Volume with a Customer Managed Key​

Configure the affected block volume to use a customer managed key from OCI Vault. Before applying the change, confirm that the target key is enabled and that the Block Volume service has permission to use it.

From Oracle Cloud Console​
  1. Follow the audit procedure in the policy description to identify affected block volumes.
  2. For each affected block volume, click the link under Display name.
  3. If Encryption Key is set to Oracle-managed key, click Assign next to Oracle-managed key.
  4. Select the target Vault compartment and Vault.
  5. Select the target master encryption key compartment and master encryption key.
  6. Click Assign.
  7. Confirm that Encryption Key shows the intended customer managed key.
From OCI CLI​

Assign a customer managed key to the existing block volume:

oci bv volume-kms-key update \
    --volume-id {{volume-ocid}} \
    --kms-key-id {{kms-key-ocid}}

When creating a new block volume, specify the customer managed key at creation:

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 52c appropriate encryption, cleansing and auditing of devices;1212no data
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 54 Cryptographic techniques can be used to control access to sensitive data, both in storage and in transit. The strength of the cryptographic techniques deployed would be commensurate with the sensitivity and criticality of the data as well as other supplementary or compensating controls (refer to Attachment E for further guidance).2324no data
πŸ’Ό CIS Oracle v3.1.0 β†’ πŸ’Ό 5.2.1 Ensure Block Volumes are encrypted with Customer Managed Keys (CMK). - Level 2 (Automated)11no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Data Encryption65no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4(4) Flow Control of Encrypted Information (H)2829no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)1738no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)138no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)138no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected196no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(2) Information Flow Enforcement _ Processing Domains3335no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-28 Protection of Information at Rest31939no data