Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI

Enable Server-Side Encryption with Service Managed Key

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that Server-Side Encryption (SSE) with the service-managed key is enabled for your Object Storage Service (OSS) buckets in order to protect your data at rest and meet regulatory requirements. Object Storage Service (OSS) provides a service-managed key identified by the alias "alias/acs/oss".

Security

In Object Storage Service, Server-Side Encryption (SSE) automatically encrypts data you upload to your buckets. OSS handles the encryption and decryption process, keeping your data secure even if someone gains access to the underlying storage. SSE represents an extra layer of security that can prevent unauthorized users from accessing sensitive or mission-critical information.

Audit

To determine if Server-Side Encryption with the service-managed key is enabled for your OSS buckets, perform the following operations:

Using Alibaba Cloud Console

  1. Sign in to your Alibaba Cloud account.

  2. Navigate to Object Storage Service (OSS) console available at https://oss.console.aliyun.com/overview.

  3. In the left navigation panel, under Object Storage Service (OSS), choose Buckets.

  4. Click on the name (link) of the OSS bucket that you want to examine, listed in the Bucket Name column.

  5. Choose Content Security from the resource navigation panel and select Server-side Encryption.

  6. Choose Settings from the Server-side Encryption section to view the Server-Side Encryption (SSE) feature settings.

  7. For compliance, the Encryption Method must be set to KMS and the CMK value must start with alias/acs/oss. If the Encryption Method is not KMS and the CMK key alias is not alias/acs/oss, Server-Side Encryption (SSE) with the service-managed key is disabled for the selected OSS bucket.

  8. Repeat steps no. 4 - 7 for each OSS bucket available within your Alibaba Cloud account.

Using ossutil

  1. Install and configure ossutil. ossutil is a command-line tool for Alibaba Cloud's Object Storage Service (OSS).

  2. Run ls command (macOS/Linux/Windows) to list the OSS buckets available within your Alibaba Cloud account:

    ossutil ls -s

  3. The command output should return the name of each OSS bucket available in your cloud account:

    oss://tm-project-trail-bucket
oss://tm-project-data-bucket
oss://tm-project-app-utils
oss://tm-project-custom-logs
Bucket Number is: 4

0.235205(s) elapsed

  4. Run bucket-encryption command (macOS/Linux/Windows) to describe the Server-Side Encryption (SSE) configuration information available for the selected OSS bucket:

    ossutil bucket-encryption --method get oss://tm-project-trail-bucket

  5. The command output should return the requested configuration information:

    SSEAlgorithm: KMS
KMSMasterKeyID: abcd1234-abcd-1234-abcd-1234abcd1234
KMSDataEncryption:

  6. Run kms ListAliasesByKeyId command (macOS/Linux/Windows) to describe the alias (name) of the KMS key configured for Server-Side Encryption (SSE), returned at the previous step (if the KMSMasterKeyID value is returned):

    aliyun kms ListAliasesByKeyId --KeyId 'abcd1234-abcd-1234-abcd-1234abcd1234'

  7. The command output should return the alias information available for the specified KMS key (including the alias name):

    {
	"Aliases": {
	"Alias": [
		{
			"AliasArn": "acs:kms:eu-west-1:1234567890123456:alias/acs/rds",
			"AliasName": "alias/acs/rds",
			"KeyId": "abcd1234-abcd-1234-abcd-1234abcd1234"
		}
	]
	},
	"PageNumber": 1,
	"PageSize": 20,
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD",
	"TotalCount": 1
}

  8. Check the information returned at steps no. 5 and 7 to determine the Server-Side Encryption (SSE) feature configuration available for the selected OSS bucket. For compliance, the SSEAlgorithm must be set to KMS and the Aliases.Alias.AliasName value for the KMS key specified by KMSMasterKeyID must be "alias/acs/oss". If the SSEAlgorithm is not KMS and the Aliases.Alias.AliasName value is not "alias/acs/oss", Server-Side Encryption (SSE) with the service-managed key is disabled for the selected OSS bucket.

  9. Repeat steps no. 4 - 8 for each OSS bucket available within your Alibaba Cloud account.

Remediation / Resolution

To ensure that Server-Side Encryption (SSE) with the service-managed key is enabled for your OSS buckets, perform the following operations:

Using Alibaba Cloud Console

  1. Sign in to your Alibaba Cloud account.

  2. Navigate to Object Storage Service (OSS) console available at https://oss.console.aliyun.com/overview.

  3. In the left navigation panel, under Object Storage Service (OSS), choose Buckets.

  4. Click on the name (link) of the OSS bucket that you want to configure, listed in the Bucket Name column.

  5. Choose Content Security from the resource navigation panel and select Server-side Encryption.

  6. Choose Settings from the Server-side Encryption section and perform the following actions:

    1. For Encryption Method choose KMS.
    2. For Encryption Algorithm choose AES256.
    3. Select the KMS key with the alias alias/acs/oss from the CMK dropdown list.
    4. Choose Save to apply the configuration changes. This will enable Server-Side Encryption (SSE) with the service-managed key for the selected OSS bucket.

  7. Repeat steps no. 4 - 6 for each OSS bucket available in your Alibaba Cloud account.

Using ossutil

  1. Install and configure ossutil. ossutil is a command-line tool for Alibaba Cloud's Object Storage Service (OSS).

  2. Run bucket-encryption command (macOS/Linux/Windows) to enable Server-Side Encryption (SSE) with the service-managed key for the selected OSS bucket. Use the --kms-masterkey-id parameter to specify the ID of the service-managed key (i.e. the KMS key with the alias alias/acs/oss):

    ossutil bucket-encryption 
  --method put oss://tm-project-trail-bucket
  --sse-algorithm KMS
  --kms-masterkey-id 1234abcd-1234-abcd-1234-abcd1234abcd

  3. If the operation is successful, the command output should return the execution time, e.g.:

    0.217135(s) elapsed

  4. Repeat steps no. 2 and 3 for each OSS bucket available in your Alibaba Cloud account.

References

Publication date Apr 25, 2024

Related AlibabaCloud-OSS rules