Ensure that EBS volumes declared in storageclasses are encrypted

An XCCDF Rule

Description

OpenShift StorageClasses can be configured to enable EBS encryption on EBS volumes that are used later as persistent volumes. By using EBS encryption, disk contents are encrypted using an AWS KMS key.

warning alert: Warning

This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:

/apis/storage.k8s.io/v1/storageclasses API endpoint, filter with with the jq utility using the following filter [.items[] | select (.provisioner == "kubernetes.io/aws-ebs" or .provisioner == "ebs.csi.aws.com")] | map(.parameters.encrypted) and persist it to the local /apis/storage.k8s.io/v1/storageclasses#3e3f126438c7acfff7ad59d8faedab98eb07303ab73fb4602e3d01e9800d29f1 file.

Rationale

Enabling encryption on EBS storage used as PersistentVolumes help protect any card holder data that might be persisted on those EBS volumes. Only authorized AWS resources will be able, through IAM policies, to use the KMS key to eventually read or alter data on those volumes.

ID: xccdf_org.ssgproject.content_rule_storageclass_encryption_enabled
Severity: High
References: Req-3.4.1

CCE-85861-3
Updated: about 1 year ago