Control: 2.8 Ensure Oracle Autonomous Shared Databases (ADB) access is restricted to allowed sources or deployed within a Virtual Cloud Network
Description
Oracle Autonomous Database Shared (ADB-S) automates database tuning, security, backups, updates, and other routine management tasks traditionally performed by DBAs. ADB-S provide ingress filtering of network traffic or can be deployed within an existing Virtual Cloud Network (VCN). It is recommended that all new ADB-S databases be deployed within a VCN and that the Access Control Rules are restricted to your corporate IP Addresses or VCNs for existing ADB-S databases.
Remediation
- Login to OCI Console.
- Click in the search bar, top of the screen.
- Type
Advanced Resource Query
and click enter. - Click the
Advanced Resource Query
button in the upper right of the screen. - Enter the following query in the query box:
query autonomousdatabase resources
- For each ABD-S database returned click on the link under
Display name
. - Click
Edit
next toAccess Control List
. - Ensure
Access Control Rules
IP Address/CIDR Block as well as VCNs are correct. - Repeat for other subscribed regions.
- For each ADB-S database in the returned results, click the ADB-S database name.
- Click
Edit
next toAccess Control Rules
. - Click
+Another Rule
and add rules as required. - Click
Save Changes
.
From Command Line
- Executethefollowingcommand:
for region in `oci iam region list | jq -r '.data[] | .name'`; do for compid in `oci iam compartment list --compartment-id-in-subtree TRUE 2>/dev/null | jq -r '.data[] | .id'` do for adbid in `oci db autonomous-database list --compartment-id $compid --region $region --all 2>/dev/null | jq -r '.data[] | select(."nsg- ids" == null).id'` do output=`oci db autonomous-database get --autonomous-database-id $adbid --region $region --query=data.{"WhiteListIPs:\"whitelisted- ips\","id:id""} --output table 2>/dev/null` if [ ! -z "$output" ]; then echo $output; fi done done done
- Ensure WhiteListIPs are correct.
- Get the json input format by executing the following command:
oci db autonomous-database update --generate-full-command-json-input
- For each of the ADB-S Database identified get its details.
- Update the
whitelistIps
, copy theWhiteListIPs
element from the JSON returned by the above get call, edit it appropriately and use it in the following command:
oci db autonomous-database update –-autonomous-database-id <ABD-S OCID> -- from-json '<network endpoints JSON>'
Usage
Run the control in your terminal:
powerpipe control run oci_compliance.control.cis_v120_2_8
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run oci_compliance.control.cis_v120_2_8 --share
SQL
This control uses a named query:
oracle_autonomous_database_not_publicly_accessible