🛡️ Oracle IAAS Instance in-transit encryption is disabled🟢

• Contextual name: 🛡️ Instance in-transit encryption is disabled🟢
• ID: /ce/ca/oracle/compute/instance-in-transit-encryption
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 Oracle IAAS Instance
  • 🔌 Oracle IAAS Instance - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

This policy identifies Oracle IAAS Instances that do not have in-transit encryption enabled for the attached boot volume.

Rationale

In-transit encryption protects storage traffic between an Oracle compute instance and its boot volume. Without this protection, data moving between the instance and the storage service may be exposed to interception or unauthorized inspection within the network path.

Enabling in-transit encryption for boot volume attachments helps maintain confidentiality for workload data and supports consistent encryption controls across compute storage connections.

Audit

This policy flags an Oracle IAAS Instance as INCOMPLIANT when the Boot Volume: PV Encryption In Transit field is set to Disabled.

Instances where Boot Volume: PV Encryption In Transit is set to Enabled are marked as COMPLIANT.

Instances where the field is empty or contains an unexpected value are marked as UNDETERMINED.

Remediation

Open File

Remediation

Enable Boot Volume In-Transit Encryption

In-transit encryption for boot and block volumes is available only for virtual machine (VM) instances launched from platform images and for bare metal instances that use one of the following shapes:

• BM.Standard.E3.128
• BM.Standard.E4.128
• BM.DenseIO.E4.128

In-transit encryption is not supported on other bare metal instance shapes. If the affected instance does not support changing this setting in place, recreate the instance using a supported configuration and enable in-transit encryption during instance creation.

From Oracle Cloud Console

If the Use in-transit encryption option is available for the affected instance, update the instance configuration:

1. Navigate to https://cloud.oracle.com/compute/instances.
2. Select the affected instance from the audit results.
3. Click More actions or Actions.
4. Click Edit.
5. Select Show Advanced Options.
6. Enable Use in-transit encryption.
7. Click Save changes.

If the Use in-transit encryption option is not available for the affected instance, recreate the instance with boot volume in-transit encryption enabled:

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS Oracle v3.1.0 → 💼 3.3 Ensure In-transit Encryption is enabled on Compute Instance - Level 1 (Automated)			1		no data
💼 Cloudaware Framework → 💼 Data Encryption			65		no data