Alibaba CloudOverview
Description
Enable server-side encryption (Encrypt with BYOK) for objects.
Rationale
Server-side encryption protects your data at rest.
Impact
Service key incurs an additional cost from accessing the KMS service.
Default Value
By default, Buckets are not set to be encrypted.
References
Remediation guidance
Perform the following to configure the OSS bucket to use SSE-KMS:
Via the management console
- Login to the
OSS Console - Under
Buckets, select the target bucket - Click
Basic Settingin the top middle of the console - Under the Server-Side Encryption section, click on
Configure - Click
KMSand select an existing CMK from the KMS key ID drop-down menu
Multiple Remediation Paths
SERVICE-WIDE (RECOMMENDED when many resources are affected): Apply organization/tenant-level guardrails and baseline policies for the entire platform.
ASSET-LEVEL: Fix only the affected resources identified by this control.
PREVENTIVE: Add preventive policy checks to CI/CD and periodic posture scans.
References for Service-Wide Patterns
- Platform policy/governance and preventive control patterns should be applied tenant-wide where supported.
Query logic
These are the stored checks tied to this control.
Server-side encryption is set to 'Encrypt with BYOK'
Connectors
Alibaba Cloud
Covered asset types
Bucket
Expected check: eq []
buckets(where: { OR:[{encryptionKeyIDFromProvider: "" },{encryptionKeyIDFromProvider: null }, {encryptionKey:{managementType:"ProviderManaged"}}]}){...AssetFragment}
