🛡️ Oracle IAAS Boot Volume is not encrypted with a customer managed key🟢

• Contextual name: 🛡️ IAAS Boot volume is not encrypted with a customer managed key🟢
• ID: /ce/ca/oracle/compute/boot-volume-cmk-encryption
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 Oracle IAAS Volume
  • 🔌 Oracle IAAS Volume - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

This policy identifies Oracle IAAS Boot Volumes that are not encrypted with a customer managed key from OCI Vault.

Rationale

OCI boot volumes store the operating system, boot files, and other data required to start compute instances. Oracle encrypts boot volumes at rest by default, but using a customer managed key provides stronger governance over the encryption key that protects this data. It allows the organization to manage key access, rotation, audit visibility, and revocation independently from the storage service.

Customer managed keys are recommended for boot volumes that support sensitive, regulated, or business-critical workloads because they enable stricter separation of duties and better control of the key lifecycle than provider-managed encryption keys.

Impact

Using customer managed keys increases operational responsibility. Before remediation, confirm that the target Vault key is enabled, available in the required region, and grants the Compute and Block Volume services permission to use it. Disabling, deleting, or restricting the key can prevent access to protected boot volumes.

... see more

Remediation

Open File

Remediation

Encrypt the Boot Volume with a Customer Managed Key

Configure the affected boot volume to use a customer managed key from OCI Vault. Before applying the change, confirm that the target key is enabled and that the Compute and Block Volume services have permission to use it.

From Oracle Cloud Console

1. Follow the audit procedure above.
2. For each boot volume in the returned results, click the boot volume name.
3. Click Assign next to Encryption Key.
4. Select the Vault Compartment and Vault.
5. Select the Master Encryption Key Compartment and Master Encryption Key.
6. Click Assign.

From OCI CLI

For each affected boot volume, assign the target Vault key:

oci bv boot-volume update \
    --boot-volume-id {{boot-volume-ocid}} \
    --kms-key-id {{kms-key-ocid}}

After remediation, verify that the boot volume references the intended customer managed key:

oci bv boot-volume get \
    --boot-volume-id {{boot-volume-ocid}} \
    --query "data.\"kms-key-id\""

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS Oracle v3.1.0 → 💼 5.2.2 Ensure boot volumes are encrypted with Customer Managed Key (CMK). - Level 2 (Automated)			1		no data
💼 Cloudaware Framework → 💼 Data Encryption			65		no data