From 6aa524c47d7cb050c487986b4e69d200bc6cdad7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rub=C3=A9n=20De=20la=20Torre=20Vico?= Date: Fri, 6 Mar 2026 12:21:45 +0100 Subject: [PATCH] chore(oraclecloud): enhance metadata for `filestorage` service (#9374) Co-authored-by: Daniel Barranquero --- prowler/CHANGELOG.md | 1 + ...le_system_encrypted_with_cmk.metadata.json | 34 +++++++++---------- 2 files changed, 18 insertions(+), 17 deletions(-) diff --git a/prowler/CHANGELOG.md b/prowler/CHANGELOG.md index 53410dad24..d551aae168 100644 --- a/prowler/CHANGELOG.md +++ b/prowler/CHANGELOG.md @@ -23,6 +23,7 @@ All notable changes to the **Prowler SDK** are documented in this file. - Update GitHub Organization service metadata to new format [(#10273)](https://github.com/prowler-cloud/prowler/pull/10273) - Update Oracle Cloud Compute Engine service metadata to new format [(#9371)](https://github.com/prowler-cloud/prowler/pull/9371) - Update Oracle Cloud Database service metadata to new format [(#9372)](https://github.com/prowler-cloud/prowler/pull/9372) +- Update Oracle Cloud File Storage service metadata to new format [(#9374)](https://github.com/prowler-cloud/prowler/pull/9374) --- diff --git a/prowler/providers/oraclecloud/services/filestorage/filestorage_file_system_encrypted_with_cmk/filestorage_file_system_encrypted_with_cmk.metadata.json b/prowler/providers/oraclecloud/services/filestorage/filestorage_file_system_encrypted_with_cmk/filestorage_file_system_encrypted_with_cmk.metadata.json index f85ca82554..75545fb401 100644 --- a/prowler/providers/oraclecloud/services/filestorage/filestorage_file_system_encrypted_with_cmk/filestorage_file_system_encrypted_with_cmk.metadata.json +++ b/prowler/providers/oraclecloud/services/filestorage/filestorage_file_system_encrypted_with_cmk/filestorage_file_system_encrypted_with_cmk.metadata.json @@ -1,35 +1,35 @@ { "Provider": "oraclecloud", "CheckID": "filestorage_file_system_encrypted_with_cmk", - "CheckTitle": "Ensure File Storage Systems are encrypted with Customer Managed Keys", - "CheckType": [ - "Software and Configuration Checks", - "Industry and Regulatory Standards", - "CIS OCI Foundations Benchmark" - ], + "CheckTitle": "File Storage file system is encrypted with a customer-managed KMS key", + "CheckType": [], "ServiceName": "filestorage", "SubServiceName": "", - "ResourceIdTemplate": "oci:filestorage:resource", + "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "OciFilestorageResource", + "ResourceType": "FileSystem", "ResourceGroup": "storage", - "Description": "File systems should be encrypted with Customer Managed Keys (CMK) for enhanced security and control over encryption keys.", - "Risk": "Not meeting this requirement increases security risk.", - "RelatedUrl": "https://docs.oracle.com/en-us/iaas/", + "Description": "**OCI File Storage** file systems use **Customer-Managed Keys** (`CMEK`) for encryption when a KMS key is associated, instead of the default Oracle-managed encryption.", + "Risk": "Using provider-managed keys limits control over key lifecycle and access, weakening **confidentiality**. You cannot enforce custom rotation, revoke use, or apply granular key permissions, increasing exposure to insider misuse, legal compulsion, or compromised services. It may hinder **compliance** and complicate incident response.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/oci/OCI-FileStorage/file-storage-systems-encrypted-with-cmks.html", + "https://docs.oracle.com/en-us/iaas/Content/File/Tasks/encrypt-file-system.htm" + ], "Remediation": { "Code": { - "CLI": "", + "CLI": "oci fs file-system update --file-system-id --kms-key-id ", "NativeIaC": "", - "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/oci/OCI-FileStorage/file-storage-systems-encrypted-with-cmks.html", - "Terraform": "" + "Other": "1. Sign in to the OCI Console\n2. Go to Storage > File Storage > File Systems and select the target file system\n3. In the Encryption section, click Edit (or Change key)\n4. Select Customer-managed key, choose the Vault and KMS key\n5. Click Save to apply", + "Terraform": "```hcl\nresource \"oci_file_storage_file_system\" \"\" {\n availability_domain = \"\"\n compartment_id = \"\"\n kms_key_id = \"\" # Critical: associates a customer-managed KMS key to encrypt the file system\n}\n```" }, "Recommendation": { - "Text": "Ensure File Storage Systems are encrypted with Customer Managed Keys", - "Url": "https://hub.prowler.com/check/oci/filestorage_file_system_encrypted_with_cmk" + "Text": "Encrypt file systems with **Customer-Managed Keys** in OCI KMS. Apply **least privilege** on key usage, enable periodic rotation, and require dual control for key administration. Monitor key activity with centralized logging. Use **defense in depth** by combining `CMEK` with network isolation and strong access governance.", + "Url": "https://hub.prowler.com/check/filestorage_file_system_encrypted_with_cmk" } }, "Categories": [ - "security-configuration" + "encryption" ], "DependsOn": [], "RelatedTo": [],