OBS Buckets Use Server-side Encryption with KMS-Managed Keys
Rule Details
Parameter |
Description |
---|---|
Rule Name |
obs-bucket-default-encryption-kms |
Identifier |
obs-bucket-default-encryption-kms |
Description |
If an OBS bucket does not use server-side encryption with a KMS-managed key, this bucket is non-compliant. |
Tag |
obs |
Trigger Type |
Configuration change |
Filter Type |
obs.buckets |
Rule Parameters |
specifiedKmsIdList: IDs of KMS keys. The value must be an array. |
Application Scenarios
You can enable SSE-KMS for an OBS bucket, so that each object uploaded to this bucket can be encrypted using the KMS key you specified before being stored in OBS. When you download an encrypted object, OBS uses the KMS key to decrypt the object first and then returns it to you. OBS does not store the key during the encryption or decryption process. For details, see Server-Side Encryption.
Solution
Enable server-side encryption for non-compliant OBS buckets and select the SSE-KMS encryption method.
Rule Logic
- If no server-side encryption is configured for an OBS bucket, this bucket is non-compliant.
- If the server-side encryption method of an OBS bucket is SSE-OBS, this bucket is non-compliant.
- If the SSE-KMS server-side encryption of an OBS bucket uses the default key or a custom key that is not in the specified list, this bucket is non-compliant.
- If the SSE-KMS server-side encryption of an OBS bucket uses a custom key that is in the parameter list, this bucket is compliant.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot