Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI

Enable Server-Side Encryption with Customer Managed Key

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that Server-Side Encryption (SSE) is using customer-managed keys (CMKs) instead of service-managed keys to protect your OSS data at rest. SSE with customer-managed keys (also known as Bring Your Own Key - BYOK) enables you to have full control over the encryption and decryption process and meet strict compliance requirements.

Security

Using Server-Side Encryption (SSE) with customer-managed keys (CMKs) allows you to set your own encryption keys and have full control over who can use these keys to access your Object Storage Service (OSS) data. Customer-managed keys (CMKs) are managed by Alibaba Cloud Key Management Service (KMS). KMS is a highly secure and scalable key management service that allows you to easily encrypt, store, and manage your cryptographic keys. It helps you protect your sensitive data from unauthorized access and theft.

Audit

To determine if Server-Side Encryption with customer-managed keys is enabled for your OSS buckets, perform the following operations:

Using Alibaba Cloud Console

  1. Sign in to your Alibaba Cloud account.

  2. Navigate to Object Storage Service (OSS) console available at https://oss.console.aliyun.com/overview.

  3. In the left navigation panel, under Object Storage Service (OSS), choose Buckets.

  4. Click on the name (link) of the OSS bucket that you want to examine, listed in the Bucket Name column.

  5. Choose Content Security from the resource navigation panel and select Server-side Encryption.

  6. Choose Settings from the Server-side Encryption section to view the Server-Side Encryption (SSE) feature settings.

  7. For compliance, the Encryption Method must be set to KMS and the CMK value must be the ID of a customer-managed key (CMK). To determine the type of the KMS key used by Server-side Encryption, copy the key ID specified by the CMK, navigate to Key Management Service console available at https://yundun.console.aliyun.com/?p=kms#/overview, and choose Keys under Resource.

  8. Select the Keys tab, paste the key ID copied at the previous step into the Key ID box, and press Enter.

  9. Click on the name (link) of the resulted KMS key, listed in the Key column.

  10. Check the Created By attribute value to determine the KMS key creator. If the key creator is not a customer/user, the selected KMS key is not a customer-managed key (CMK), therefore Server-Side Encryption (SSE) with customer-managed keys (CMKs) is disabled for the selected OSS bucket.

  11. Repeat steps no. 4 - 10 for each OSS bucket available within your Alibaba Cloud account.

Using ossutil

  1. Install and configure ossutil. ossutil is a command-line tool for Alibaba Cloud's Object Storage Service (OSS).

  2. Run ls command (macOS/Linux/Windows) to list the OSS buckets available within your Alibaba Cloud account:

    ossutil ls -s

  3. The command output should return the name of each OSS bucket available in your cloud account:

    oss://tm-project-trail-bucket
oss://tm-project-data-bucket
oss://tm-project-app-utils
oss://tm-project-custom-logs
Bucket Number is: 4

0.235205(s) elapsed

  4. Run bucket-encryption command (macOS/Linux/Windows) to describe the Server-Side Encryption (SSE) configuration information available for the selected OSS bucket:

    ossutil bucket-encryption --method get oss://tm-project-trail-bucket

  5. The command output should return the requested configuration information:

    SSEAlgorithm: KMS
KMSMasterKeyID: abcd1234-abcd-1234-abcd-1234abcd1234
KMSDataEncryption:

  6. Run kms DescribeKey command (macOS/Linux/Windows) to describe the KMS key configured for Server-Side Encryption (SSE), returned at the previous step (if the KMSMasterKeyID value is returned):

    aliyun kms DescribeKey --KeyId 'abcd1234-abcd-1234-abcd-1234abcd1234'

  7. The command output should return the information available for the specified KMS key (including the key creator):

    {
	"KeyMetadata": {
		"Arn": "acs:kms:eu-west-1:1234567890123456:key/abcd1234-abcd-1234-abcd-1234abcd1234",
		"AutomaticRotation": "Disabled",
		"CreationDate": "2024-01-26T11:19:27Z",
		"Creator": "Rds",
		"DeleteDate": "",
		"DeletionProtection": "Disabled",
		"Description": "",
		"KeyId": "abcd1234-abcd-1234-abcd-1234abcd1234",
		"KeySpec": "Aliyun_AES_256",
		"KeyState": "Enabled",
		"KeyUsage": "ENCRYPT/DECRYPT",
		"LastRotationDate": "2024-01-26T11:20:27Z",
		"MaterialExpireTime": "",
		"Origin": "Aliyun_KMS",
		"PrimaryKeyVersion": "abcd1234-abcd-1234-abcd-1234abcd1234",
		"ProtectionLevel": "SOFTWARE"
	},
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD"
}

    Check the KeyMetadata.Creator attribute value to determine the KMS key creator. If the key creator is a cloud service and not a customer/user, as shown in the example above, the KMS key specified by KMSMasterKeyID is not a customer-managed key (CMK).

  8. Check the information returned at steps no. 5 and 7 to determine the Server-Side Encryption (SSE) feature configuration available for the selected OSS bucket. For compliance, the SSEAlgorithm must be set to KMS and the KMSMasterKeyID must be the ID of a customer-managed key (CMK). If the SSEAlgorithm is not KMS and the KMSMasterKeyID is not the ID of a CMK, Server-Side Encryption (SSE) with customer-managed keys (CMKs) is disabled for the selected OSS bucket.

  9. Repeat steps no. 4 - 8 for each OSS bucket available within your Alibaba Cloud account.

Remediation / Resolution

To ensure that Server-Side Encryption (SSE) with customer-managed keys (CMKs) is enabled for your OSS buckets, perform the following operations:

Using Alibaba Cloud Console

  1. Sign in to your Alibaba Cloud account.

  2. Navigate to Object Storage Service (OSS) console available at https://oss.console.aliyun.com/overview.

  3. In the left navigation panel, under Object Storage Service (OSS), choose Buckets.

  4. Click on the name (link) of the OSS bucket that you want to configure, listed in the Bucket Name column.

  5. Choose Content Security from the resource navigation panel and select Server-side Encryption.

  6. Choose Settings from the Server-side Encryption section and perform the following actions:

    1. For Encryption Method choose KMS.
    2. For Encryption Algorithm choose AES256.
    3. Choose your own KMS customer-managed key (CMK) from the CMK dropdown list.
    4. Choose Save to apply the configuration changes. This will enable Server-Side Encryption (SSE) with customer-managed keys (CMKs) for the selected OSS bucket.

  7. Repeat steps no. 4 - 6 for each OSS bucket available in your Alibaba Cloud account.

Using ossutil

  1. Install and configure ossutil. ossutil is a command-line tool for Alibaba Cloud's Object Storage Service (OSS).

  2. Run bucket-encryption command (macOS/Linux/Windows) to enable Server-Side Encryption (SSE) with customer-managed keys (CMKs) for the selected OSS bucket. Use the --kms-masterkey-id command parameter to specify the ID of your own KMS customer-managed key (CMK):

    ossutil bucket-encryption 
  --method put oss://tm-project-trail-bucket 
  --sse-algorithm KMS  
  --kms-masterkey-id 1234abcd-1234-abcd-1234-abcd1234abcd

  3. If the operation is successful, the command output should return the execution time, e.g.:

    0.218990(s) elapsed

  4. Repeat steps no. 2 and 3 for each OSS bucket available in your Alibaba Cloud account.

References

Publication date Apr 25, 2024

Related AlibabaCloud-OSS rules