Alibaba CloudOverview
Description
Enable server-side encryption (Encrypt with Service Key) for objects.
Rationale
Server-side encryption protects your data at rest.
Impact
Service key incurs an additional cost from accessing the KMS service.
Default Value
By default, objects are not encrypted.
References
Remediation guidance
Perform the following to configure the OSS bucket to use SSE-KMS:
Via the management console
- Login to the
OSS Console - Under
Buckets, select the target bucket - Click
Basic Settingin the top middle of the console - Under the Server-Side Encryption section, click on
Configure - Click
KMSand select the KMS service key (alias/acs/oss)
Service-wide remediation
Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.
Alibaba Cloud
Use Resource Directory guardrails, account baselines, and IaC modules so the secure setting is applied consistently across environments.
Operational rollout
- Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
- Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
- Re-scan and track approved exceptions with an owner and expiry date.
Query logic
These are the stored checks tied to this control.
Server-side encryption is set to 'Encrypt with Service Key'
Connectors
Alibaba Cloud
Covered asset types
Bucket
Expected check: eq []
buckets(where: { OR:[{encryptionKeyIDFromProvider: "" },{encryptionKeyIDFromProvider: null }, {encryptionKey:null}]}){...AssetFragment}
