OCI Compute Instance boot volume has in-transit data encryption is disabled
Description
This policy identifies the OCI Compute Instances that are configured with disabled in-transit data encryption boot or block volumes. It is recommended that Compute Instance boot or block volumes should be configured with in-transit data encryption to minimize risk for sensitive data being leaked.
Code Example
go
resource "oci_core_instance" "pass" {
...
}
ipxe_script = var.instance_ipxe_script
is_pv_encryption_in_transit_enabled = var.instance_is_pv_encryption_in_transit_enabled
launch_options {
boot_volume_type = var.instance_launch_options_boot_volume_type
firmware = var.instance_launch_options_firmware
is_consistent_volume_naming_enabled = var.instance_launch_options_is_consistent_volume_naming_enabled
is_pv_encryption_in_transit_enabled = true
network_type = var.instance_launch_options_network_type
remote_data_volume_type = var.instance_launch_options_remote_data_volume_type
}
...
}Remediation
- OCI Console*
. Login to the OCI Console
. Type the resource reported in the alert into the Search box at the top of the Console.
. Click the resource reported in the alert from the Resources submenu
. Click Edit
. Click on Show Advanced Options
. Select USE IN-TRANSIT ENCRYPTION
. Click Save Changes Note : To update the instance properties, the instance must be rebooted. === Fix - Buildtime
Terraform
- Resource: oci_core_instance
- Arguments: is_pv_encryption_in_transit_enabled
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1231 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_OCI_4 |