turbot/oci_compliance

Control: 3.13 Ensure a notification is configured for changes to network gateways

Description

It is recommended to setup an Event Rule and Notification that gets triggered when Network Gateways are created, updated, deleted, attached, detached, or moved. This recommendation includes Internet Gateways, Dynamic Routing Gateways, Service Gateways, Local Peering Gateways, and NAT Gateways. Event Rules are compartment scoped and will detect events in child compartments, it is recommended to create the Event rule at the root compartment level.

Remediation

From Console

  1. Go to the Events Service page
  2. Select the compartment that should host the rule.
  3. Click Create Rule.
  4. Provide a Display Name and Description.
  5. Create a Rule Condition by selecting Networking in the Service Name Drop-down and selecting DRG – Create, DRG – Delete, DRG – Update, DRG Attachment – Create, DRG Attachment – Delete, DRG Attachment – Update, Internet Gateway – Create, Internet Gateway – Delete, Internet Gateway – Update, Internet Gateway – Change Compartment, Local Peering Gateway – Create, Local Peering Gateway – Delete, Local Peering Gateway – Update, Local Peering Gateway – Change Compartment, NAT Gateway – Create, NAT Gateway – Delete, NAT Gateway – Update, NAT Gateway – Change Compartment, Service Gateway – Create, Service Gateway – Delete Begin, Service Gateway – Delete End, Service Gateway – Update, Service Gateway – Attach Service, Service Gateway – Detach Service, Service Gateway – Change Compartment.
  6. In the Actions section select Notifications as Action Type.
  7. Select the Compartment that hosts the Topic to be used.
  8. Select the Topic to be used.
  9. Optionally add Tags to the Rule.
  10. Click Create Rule.

From Command Line

  1. Find the topic-id of the Event Rule which should be used for sending Notifications by using the topic name and Compartment OCID.
oci ons topic list --compartment-id=<compartment OCID> --all --query "data [?name=='<topic_name>']".{"name:name,topic_id:\"topic-id\""} --output table
  1. Create a JSON file to be used when creating the Event Rule. Replace topic id, display name, description and compartment OCID.
{
"actions":
{
"actions": [
{
"actionType": "ONS",
"isEnabled": true,
"topicId": "<topic id>"
}]
},
"condition":
{
"eventType":
["com.oraclecloud.virtualnetwork.createdrg",
"com.oraclecloud.virtualnetwork.deletedrg",
"com.oraclecloud.virtualnetwork.updatedrg",
"com.oraclecloud.virtualnetwork.createdrgattachment",
"com.oraclecloud.virtualnetwork.deletedrgattachment",
"com.oraclecloud.virtualnetwork.updatedrgattachment",
"com.oraclecloud.virtualnetwork.changeinternetgatewaycompartment",
"com.oraclecloud.virtualnetwork.createinternetgateway",
"com.oraclecloud.virtualnetwork.deleteinternetgateway",
"com.oraclecloud.virtualnetwork.updateinternetgateway",
"com.oraclecloud.virtualnetwork.changelocalpeeringgatewaycompartment",
"com.oraclecloud.virtualnetwork.createlocalpeeringgateway",
"com.oraclecloud.virtualnetwork.deletelocalpeeringgateway",
"com.oraclecloud.virtualnetwork.updatelocalpeeringgateway",
"com.oraclecloud.natgateway.changenatgatewaycompartment",
"com.oraclecloud.natgateway.createnatgateway",
"com.oraclecloud.natgateway.deletenatgateway",
"com.oraclecloud.natgateway.updatenatgateway",
"com.oraclecloud.servicegateway.attachserviceid",
"com.oraclecloud.servicegateway.changeservicegatewaycompartment",
"com.oraclecloud.servicegateway.createservicegateway",
"com.oraclecloud.servicegateway.deleteservicegateway.begin",
"com.oraclecloud.servicegateway.deleteservicegateway.end",
"com.oraclecloud.servicegateway.detachserviceid",
"com.oraclecloud.servicegateway.updateservicegateway" ],
"data":{}
},
"displayName": "<display name>",
"description": "<description>",
"isEnabled": true,
"compartmentId": "compartment OCID"
}
  1. Create the actual event rule
oci events rule create --from-json file://event_rule.json
  1. Note in the JSON returned that it lists the parameters specified in the JSON file provided and that there is an OCID provided for the Event Rule

Usage

Run the control in your terminal:

powerpipe control run oci_compliance.control.cis_v120_3_13

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run oci_compliance.control.cis_v120_3_13 --share

SQL

This control uses a named query:

events_rule_notification_network_gateway_changes

Tags