Control: 3.15 Ensure Cloud Guard is enabled in the root compartment of the tenancy
Description
Cloud Guard detects misconfigured resources and insecure activity within a tenancy and provides security administrators with the visibility to resolve these issues. Upon detection, Cloud Guard can suggest, assist, or take corrective actions to mitigate these issues. Cloud Guard should be enabled in the root compartment of your tenancy with the default configuration, activity detectors and responders.
Remediation
From Console
- Type
Cloud Guard
into the Search box at the top of the Console. - Click
Cloud Guard
from the "Services" submenu. - Click
Enable Cloud Guard
. - Click
Create Policy
. - Click
Next
. - Under
Reporting Region
, select a region. - Under
Compartments To Monitor
, chooseSelect Compartment
. - Under
Select Compartments
, select the root compartment. - Under
Configuration Detector Recipe
, selectOCI Configuration Detector Recipe (Oracle Managed)
. - Under
Activity Detector Recipe
, selectOCI Activity Detector Recipe (Oracle Managed)
. - Click
Enable
.
From Command Line
- Create
OCI IAM Policy
forCloud Guard
.
oci iam policy create --compartment-id '<tenancy-id>' --name 'CloudGuardPolicies' --description 'Cloud Guard Access Policy' --statements '[ "allow service cloudguard to read vaults in tenancy", "allow service cloudguard to read keys in tenancy", "allow service cloudguard to read compartments in tenancy", "allow service cloudguard to read tenancies in tenancy", "allow service cloudguard to read audit-events in tenancy", "allow service cloudguard to read compute-management-family in tenancy", "allow service cloudguard to read instance-family in tenancy", "allow service cloudguard to read virtual-network-family in tenancy", "allow service cloudguard to read volume-family in tenancy", "allow service cloudguard to read database-family in tenancy", "allow service cloudguard to read object-family in tenancy", "allow service cloudguard to read load-balancers in tenancy", "allow service cloudguard to read users in tenancy", "allow service cloudguard to read groups in tenancy", "allow service cloudguard to read policies in tenancy", "allow service cloudguard to read dynamic-groups in tenancy", "allow service cloudguard to read authentication-policies in tenancy"]'
- Enable Cloud Guard in root compartment
oci cloud-guard configuration update --reporting-region 'us-ashburn-1' -- compartment-id '<tenancy-id>' --status 'ENABLED'
Usage
Run the control in your terminal:
powerpipe control run oci_compliance.control.cis_v110_3_15
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run oci_compliance.control.cis_v110_3_15 --share
SQL
This control uses a named query:
cloudguard_enabled