v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/oci_compliance
Overview
3Dashboards
133Controls
43Queries
2Variables
GitHub

Control: 2.7 Ensure Oracle Analytics Cloud (OAC) access is restricted to allowed sources or deployed within a Virtual Cloud Network

Description

Oracle Analytics Cloud (OAC) is a scalable and secure public cloud service that provides a full set of capabilities to explore and perform collaborative analytics for you, your workgroup, and your enterprise. OAC instances provide ingress filtering of network traffic or can be deployed with in an existing Virtual Cloud Network VCN. It is recommended that all new OAC instances be deployed within a VCN and that the Access Control Rules are restricted to your corporate IP Addresses or VCNs for existing OAC instances.

Remediation

  1. Login to OCI Console.
  2. Click in the search bar, top of the screen.
  3. Type Advanced Resource Query and click enter.
  4. Click the Advanced Resource Query button in the upper right of the screen.
  5. Enter the following query in the query box:
query analyticsinstance resources
  1. For each OAC Instance returned click on the link under Display name.
  2. Ensure Access Control Rules IP Address/CIDR Block as well as Virtual Cloud Networks are correct.
  3. Repeat for other subscribed regions.
  4. For each OAC instance in the returned results, click the OAC Instance name.
  5. Click Edit next to Access Control Rules.
  6. Click +Another Rule and add rules as required.

From Command Line

  1. Executethefollowingcommand:
for region in `oci iam region list | jq -r '.data[] | .name'`;
  do
  for compid in `oci iam compartment list --compartment-id-in-subtree TRUE 2>/dev/null | jq -r '.data[] | .id'`
    do
    output=`oci analytics analytics-instance list --compartment-id
    $compid --region $region --all 2>/dev/null | jq -r '.data[] | select(."network-endpoint-details"."network-endpoint-type" == "PUBLIC")'`
    if [ ! -z "$output" ]; then echo $output; fi
    done
  done
  1. Ensure network-endpoint-type are correct.
  2. Get the json input format by executing the below command:
oci analytics analytics-instance change-network-endpoint --generate-full-command-json-input
  1. For each of the OAC Instances identified get its details.
  2. Update the Access Control Rules, copy the network-endpoint-details element from the JSON returned by the above get call, edit it appropriately and use it in the following command:
oci integration analytics-instance change-network-endpoint --from-json '<network endpoints JSON>'

Usage

Run the control in your terminal:

powerpipe control run oci_compliance.control.cis_v120_2_7

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run oci_compliance.control.cis_v120_2_7 --share

SQL

This control uses a named query:

manual_control

Tags

category = Compliance
cis = true
cis_item_id = 2.7
cis_level = 1
cis_section_id = 2
cis_type = manual
cis_version = v1.2.0
plugin = oci
service = OCI/VCN