Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-oci-compliance
Overview
3Dashboards
133Benchmarks
43Queries
2Variables
GitHub

Control: 3.6 Ensure a notification is configured for IAM group changes

Description

It is recommended to setup an Event Rule and Notification that gets triggered when IAM Groups are created, updated or deleted. Event Rules are compartment scoped and will detect events in child compartments, it is recommended to create the Event rule at the root compartment level.

Remediation

From Console

  1. Go to the Events Service page.
  2. Select the compartment that should host the rule.
  3. Click Create Rule.
  4. Provide a Display Name and Description.
  5. Create a Rule Condition by selecting Identity in the Service Name Drop-down and selecting Group – Create, Group – Delete and Group – Update.
  6. In the Actions section select Notifications as Action Type.
  7. Select the Compartment that hosts the Topic to be used.
  8. Select the Topic to be used.
  9. Optionally add Tags to the Rule.
  10. Click Create Rule.

From Command Line

  1. Find the topic-id of the Event Rule which should be used for sending Notifications by using the topic name and Compartment OCID.
oci ons topic list --compartment-id=<compartment OCID> --all --query "data [?name=='<topic_name>']".{"name:name,topic_id:\"topic-id\""} --output table
  1. Create a JSON file to be used when creating the Event Rule. Replace topic id, display name, description and compartment OCID.
{
  "actions":
  {
    "actions": [
    {
      "actionType": "ONS",
      "isEnabled": true,
      "topicId": "<topic id>"
    }]
  },
  "condition":
"{\"eventType\":[\"com.oraclecloud.identitycontrolplane.creategroup\",\"com.oraclecloud.identitycontrolplane.deletegroup\",\"com.oraclecloud.identitycontrolplane.updategroup\"],\"data\":{}}",
  "displayName": "<display name>",
  "description": "<description>",
  "isEnabled": true,
  "compartmentId": "compartment OCID"
}
  1. Create the actual event rule.
oci events rule create --from-json file://event_rule.json
  1. Note in the JSON returned that it lists the parameters specified in the JSON file provided and that there is an OCID provided for the Event Rule.

Usage

Run the control in your terminal:

powerpipe control run oci_compliance.control.cis_v110_3_6

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run oci_compliance.control.cis_v110_3_6 --share

SQL

This control uses a named query:

select
  distinct t.id as resource,
  case
    when c.name is not null then 'skip'
    when condition -> 'eventType' ?& array
      ['com.oraclecloud.identitycontrolplane.creategroup',
      'com.oraclecloud.identitycontrolplane.deletegroup',
      'com.oraclecloud.identitycontrolplane.updategroup']
      and a ->> 'actionType' = 'ONS'
      and t.lifecycle_state = 'ACTIVE'
      and t.is_enabled then 'ok'
    else 'alarm'
  end as status,
  case
    when c.name is not null then c.name || ' not a root compartment.'
    when condition -> 'eventType' ?& array
      ['com.oraclecloud.identitycontrolplane.creategroup',
      'com.oraclecloud.identitycontrolplane.deletegroup',
      'com.oraclecloud.identitycontrolplane.updategroup']
      and a ->> 'actionType' = 'ONS'
      and t.lifecycle_state = 'ACTIVE'
      and t.is_enabled then t.title || ' configured for IAM group changes.'
    else t.title || ' not configured for IAM group changes.'
  end as reason
  
  , t.region as region, t.tenant_name as tenant
  , coalesce(c.name, 'root') as compartment
from
  oci_events_rule t
  left join oci_identity_compartment as c on c.id = t.compartment_id,
  jsonb_array_elements(actions) as a;

Tags

category = Compliance
cis = true
cis_item_id = 3.6
cis_level = 1
cis_section_id = 3
cis_type = manual
cis_version = v1.1.0
plugin = oci
service = OCI/ONS