turbot/oci_compliance

Control: 3.15 Ensure Cloud Guard is enabled in the root compartment of the tenancy

Description

Cloud Guard detects misconfigured resources and insecure activity within a tenancy and provides security administrators with the visibility to resolve these issues. Upon detection, Cloud Guard can suggest, assist, or take corrective actions to mitigate these issues. Cloud Guard should be enabled in the root compartment of your tenancy with the default configuration, activity detectors and responders.

Remediation

From Console

  1. Type Cloud Guard into the Search box at the top of the Console.
  2. Click Cloud Guard from the "Services" submenu.
  3. Click Enable Cloud Guard.
  4. Click Create Policy.
  5. Click Next.
  6. Under Reporting Region, select a region.
  7. Under Compartments To Monitor, choose Select Compartment.
  8. Under Select Compartments, select the root compartment.
  9. Under Configuration Detector Recipe, select OCI Configuration Detector Recipe (Oracle Managed).
  10. Under Activity Detector Recipe, select OCI Activity Detector Recipe (OracleManaged).
  11. Click Enable.

From Command Line

  1. Create OCI IAM Policy for Cloud Guard.
oci iam policy create --compartment-id '<tenancy-id>' --name 'CloudGuardPolicies' --description 'Cloud Guard Access Policy' --statements
'[
"allow service cloudguard to read vaults in tenancy",
"allow service cloudguard to read keys in tenancy",
"allow service cloudguard to read compartments in tenancy",
"allow service cloudguard to read tenancies in tenancy",
"allow service cloudguard to read audit-events in tenancy",
"allow service cloudguard to read compute-management-family in tenancy",
"allow service cloudguard to read instance-family in tenancy",
"allow service cloudguard to read virtual-network-family in tenancy",
"allow service cloudguard to read volume-family in tenancy",
"allow service cloudguard to read database-family in tenancy",
"allow service cloudguard to read object-family in tenancy",
"allow service cloudguard to read load-balancers in tenancy",
"allow service cloudguard to read users in tenancy",
"allow service cloudguard to read groups in tenancy",
"allow service cloudguard to read policies in tenancy",
"allow service cloudguard to read dynamic-groups in tenancy",
"allow service cloudguard to read authentication-policies in tenancy"
]'
  1. Enable Cloud Guard in root compartment
oci cloud-guard configuration update --reporting-region 'us-ashburn-1' -- compartment-id '<tenancy-id>' --status 'ENABLED'

Usage

Run the control in your terminal:

powerpipe control run oci_compliance.control.cis_v120_3_15

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run oci_compliance.control.cis_v120_3_15 --share

SQL

This control uses a named query:

cloudguard_enabled

Tags