Alibaba CloudOverview
Description
Enable server-side encryption (Encrypt with BYOK) for objects.
Rationale
Server-side encryption protects your data at rest.
Impact
Service key incurs an additional cost from accessing the KMS service.
Default Value
By default, Buckets are not set to be encrypted.
References
Remediation guidance
Perform the following to configure the OSS bucket to use SSE-KMS:
Via the management console
- Login to the
OSS Console - Under
Buckets, select the target bucket - Click
Basic Settingin the top middle of the console - Under the Server-Side Encryption section, click on
Configure - Click
KMSand select an existing CMK from the KMS key ID drop-down menu
Service-wide remediation
Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.
Alibaba Cloud
Use Resource Directory guardrails, account baselines, and IaC modules so the secure setting is applied consistently across environments.
Operational rollout
- Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
- Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
- Re-scan and track approved exceptions with an owner and expiry date.
Query logic
These are the stored checks tied to this control.
Server-side encryption is set to 'Encrypt with BYOK'
Connectors
Alibaba Cloud
Covered asset types
Bucket
Expected check: eq []
buckets(where: { OR:[{encryptionKeyIDFromProvider: "" },{encryptionKeyIDFromProvider: null }, {encryptionKey:{managementType:"ProviderManaged"}}]}){...AssetFragment}
