Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-oci-compliance
Overview
3Dashboards
133Benchmarks
43Queries
2Variables
GitHub

Control: 3.2 Ensure default tags are used on resources

Description

Using default tags is a way to ensure all resources that support tags are tagged during creation. Tags can be based on static values or based on computed values. It is recommended to setup default tags early on to ensure all created resources will get tagged. Tags are scoped to Compartments and are inherited by Child Compartments. The recommendation is to create default tags like “CreatedBy” at the Root Compartment level to ensure all resources get tagged. When using Tags it is important to ensure that Tag Namespaces are protected by IAM Policies otherwise this will allow users to change tags or tag values. Depending on the age of the OCI Tenancy there may already be Tag defaults setup at the Root Level and no need for further action to implement this action.

Remediation

From Console

  1. Go to the Tag Namespaces page.
  2. Select the Root compartment.
  3. Click Create Namespace Definition.
  4. Create the Namespace in the Root Compartment.
  5. Click on the newly created Namespace definition.
  6. Click Create Tag Key Definition Create a Tag key definition by providing a Tag Key, Description and selecting “Static Value” for Tag Value Type .
  7. Go to the Compartments page.
  8. Select the Root compartment.
  9. Select the Tag Defaults Link.
  10. Click Create Tag Default.
  11. Create the Tag Default by providing the Tag namespace and Tag Key created previously and as the Default Value provide: ${iam.principal.name}.

From Command Line

  1. Create a Tag Namespace in the Root Compartment
oci iam tag-namespace create --compartment-id=<tenancy OCID> --name=<name> -- description=<description> --query data.{"\"Tag Namespace OCID\":id"} --output table
  1. Note the Tag Namespace OCID and use it when creating the Tag Key Definition
oci iam tag create --tag-namespace-id=<tag namespace OCID> --name=<tag namespace OCID> --description=<description> --query data.{"\"Tag Key Definition OCID\":id"} --output table
  1. Note the Tag Key Definition OCID and use it when creating the Tag Default in the Root compartment
oci iam tag-default create --compartment-id=<tenancy OCID> --tag-definitionid=<tag key definition id> --value="\${iam.principal.name}"

Usage

Run the control in your terminal:

powerpipe control run oci_compliance.control.cis_v110_3_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run oci_compliance.control.cis_v110_3_2 --share

SQL

This control uses a named query:

with default_tag_count as (
  select
    count(compartment_id),
    compartment_id
  from
    oci_identity_tag_default
  where
    lifecycle_state = 'ACTIVE' and value = '${iam.principal.name}'
  group by
    compartment_id
)
select
  t.tenant_id as resource,
  case
    when d.compartment_id is null then 'alarm'
    else 'ok'
  end as status,
  case
    when d.compartment_id is null then 'Default tag criteria does not meet as per CIS recommendation.'
    else 'Default tag criteria meets as CIS per recommendation.'
  end as reason
  
  , t.tenant_name as tenant
from
  oci_identity_tenancy t
  left join default_tag_count d on t.tenant_id = d.compartment_id;

Tags

category = Compliance
cis = true
cis_item_id = 3.2
cis_level = 1
cis_section_id = 3
cis_type = manual
cis_version = v1.1.0
plugin = oci
service = OCI/Identity