Control: 4.6 Ensure a notification is configured for IAM policy changes

Description

It is recommended to setup an Event Rule and Notification that gets triggered when IAM Policies are created, updated or deleted. Event Rules are compartment scoped and will detect events in child compartments, it is recommended to create the Event rule at the root compartment level.

IAM Policies govern access to all resources within an OCI Tenancy. Monitoring and alerting on changes to IAM policies will help in identifying changes to the security posture.

Remediation

From Console

Go to the Events Service page.
Select the compartment that should host the rule.
Click Create Rule.
Provide a Display Name and Description.
Create a Rule Condition by selecting Identity in the Service Name Drop-down and selecting Policy – Change Compartment, Policy – Create, Policy - Delete and Policy – Update.
In the Actions section select Notifications as Action Type.
Select the Compartment that hosts the Topic to be used.
Select the Topic to be used.
Optionally add Tags to the Rule.
Click Create Rule.

From CLI

Find the topic-id of the Event Rule which should be used for sending Notifications by using the topic name and Compartment OCID.

oci ons topic list --compartment-id=<compartment OCID> --all --query "data [?name=='<topic_name>']".{"name:name,topic_id:\"topic-id\""} --output table

Create a JSON file to be used when creating the Event Rule. Replace topic id, display name, description and compartment OCID.

{
  "actions":
  {
    "actions": [
    {
      "actionType": "ONS",
      "isEnabled": true,
      "topicId": "<topic id>"
    }]
  },
  "condition":
  {
    "eventType":
      ["com.oraclecloud.identitycontrolplane.createpolicy",
      "com.oraclecloud.identitycontrolplane.deletepolicy",
      "com.oraclecloud.identitycontrolplane.updatepolicy"],
    "data":{}
  },
  "displayName": "<display name>",
  "description": "<description>",
  "isEnabled": true,
  "compartmentId": "compartment OCID"
}

Create the actual event rule.

oci events rule create --from-json file://event_rule.json

Note in the JSON returned that it lists the parameters specified in the JSON file provided and that there is an OCID provided for the Event Rule.

Usage

Run the control in your terminal:

powerpipe control run oci_compliance.control.cis_v200_4_6

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run oci_compliance.control.cis_v200_4_6 --share

SQL

This control uses a named query:

select
  distinct t.id as resource,
  case
    when c.name is not null then 'skip'
    when condition -> 'eventType' ?& array
      ['com.oraclecloud.identitycontrolplane.createpolicy',
      'com.oraclecloud.identitycontrolplane.deletepolicy',
      'com.oraclecloud.identitycontrolplane.updatepolicy']
      and a ->> 'actionType' = 'ONS'
      and t.lifecycle_state = 'ACTIVE'
      and t.is_enabled then 'ok'
    else 'alarm'
  end as status,
  case
    when c.name is not null then c.name || ' not a root compartment.'
    when condition -> 'eventType' ?& array
      ['com.oraclecloud.identitycontrolplane.createpolicy',
      'com.oraclecloud.identitycontrolplane.deletepolicy',
      'com.oraclecloud.identitycontrolplane.updatepolicy']
      and a ->> 'actionType' = 'ONS'
      and t.lifecycle_state = 'ACTIVE'
      and t.is_enabled then t.title || ' configured for IAM policy changes.'
    else t.title || ' not configured for IAM policy changes.'
  end as reason
  
  , t.region as region, t.tenant_name as tenant
  , coalesce(c.name, 'root') as compartment
from
  oci_events_rule t
  left join oci_identity_compartment as c on c.id = t.compartment_id,
  jsonb_array_elements(actions) as a;