Alibaba Cloud OSS bucket is not encrypted with Customer Master Key
Description
This policy ensures that Alibaba Cloud OSS (Object Storage Service) buckets are encrypted using a Customer Master Key (CMK). Encrypting buckets with a CMK enhances data security by providing granular control over key management, including key rotation, access policies, and auditing.
Failing to use a CMK for encryption can increase the risk of unauthorized access to sensitive data and make it harder to meet compliance and security requirements.
Code Example
go
resource "alicloud_oss_bucket" "example" {
...
server_side_encryption_rule {
+ kms_master_key_id = "1234abcd-12ab-34cd-56ef-1234567890ab" # Replace with your CMK ID
}
}Remediation
Terraform
- Resource: alicloud_oss_bucket
- Arguments: server_side_encryption_rule.kms_master_key_id
To mitigate this issue, ensure the `server_side_encryption_rule.kms_master_key_id` attribute is configured with a valid CMK ID in the `alicloud_oss_bucket` resource.
Example:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0006 |
| Severity | MEDIUM |
| IaC Type | Terraform |
| Frameworks | Terraform |
| Checkov ID | CKV_ALI_6 |