Ensure that EBS volumes use by cluster nodes are encrypted

An XCCDF Rule

Description

OpenShift MachineSets can be configured to enable EBS encryption on EBS storage used by cluster nodes. By using EBS encryption, disk contents are encrypted using a AWS KMS key.

warning alert: Warning

This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:

/apis/machine.openshift.io/v1beta1/machinesets?limit=500 API endpoint, filter with with the jq utility using the following filter [.items[] | .spec.template.spec.providerSpec.value.blockDevices[0].ebs.encrypted] | map(. == true) and persist it to the local /apis/machine.openshift.io/v1beta1/machinesets?limit=500#06ea2adfb5429a7351e7bd78b7ec378225e0d3256c4c9e4e3b2ce59900959267 file.

Rationale

Enabling encryption on EBS storage used by the cluster nodes, more specifically worker nodes, help protect any card holder data that might be persisted on those EBS volumes. Only authorized AWS resources will be able, through IAM policies, to use the KMS key to eventually read or alter data on those volumes.

ID: xccdf_org.ssgproject.content_rule_ebs_encryption_enabled_on_machinesets
Severity: High
References: Req-3.4.1

CCE-85859-7
Updated: about 1 year ago