v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/oci_compliance
Overview
3Dashboards
133Controls
43Queries
2Variables
GitHub

Control: 4.1 Ensure default tags are used on resources

Description

Using default tags is a way to ensure all resources that support tags are tagged during creation. Tags can be based on static values or based on computed values. It is recommended to setup default tags early on to ensure all created resources will get tagged. Tags are scoped to Compartments and are inherited by Child Compartments. The recommendation is to create default tags like “CreatedBy” at the Root Compartment level to ensure all resources get tagged. When using Tags it is important to ensure that Tag Namespaces are protected by IAM Policies otherwise this will allow users to change tags or tag values. Depending on the age of the OCI Tenancy there may already be Tag defaults setup at the Root Level and no need for further action to implement this action.

In the case of an incident having default tags like “CreatedBy” applied will provide info on who created the resource without having to search the Audit logs.

Remediation

From Console

  1. Login to OCI console.
  2. From the navigation menu, select Governance & Administration.
  3. Under Tenancy Management, select Tag Namespaces.
  4. Under Compartment, select the root compartment.
  5. If no tag namespace exists, click Create Tag Namespace, enter a name and description and click Create Tag Namespace.
  6. Click the name of a tag namespace.
  7. Click Create Tag Key Definition.
  8. Enter a tag key (e.g. CreatedBy) and description, and click Create Tag Key Definition.
  9. From the navigation menu, select Identity & Security.
  10. Under Identity, select Compartments.
  11. Click the name of the root compartment.
  12. Under Resources, select Tag Defaults.
  13. Click Create Tag Default.
  14. Select a tag namespace, tag key, and enter ${iam.principal.name} as the tag value.
  15. Click Create.

From CLI

  1. Create a Tag Namespace in the Root Compartment
oci iam tag-namespace create --compartment-id=<tenancy OCID> --name=<name> -- description=<description> --query data.{"\"Tag Namespace OCID\":id"} --output table
  1. Note the Tag Namespace OCID and use it when creating the Tag Key Definition
oci iam tag create --tag-namespace-id=<tag namespace OCID> --name=<tag namespace OCID> --description=<description> --query data.{"\"Tag Key Definition OCID\":id"} --output table
  1. Note the Tag Key Definition OCID and use it when creating the Tag Default in the Root compartment
oci iam tag-default create --compartment-id=<tenancy OCID> --tag-definitionid=<tag key definition id> --value="\${iam.principal.name}"

Default Value

New OCI Tenancies will have Tag Defaults setup for CreatedBy and CreatedOn as default. If this is the case then there is no remediate action required in the Tenancy in order to meet this specific control.

Usage

Run the control in your terminal:

powerpipe control run oci_compliance.control.cis_v200_4_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run oci_compliance.control.cis_v200_4_1 --share

SQL

This control uses a named query:

identity_default_tag

Tags

category = Compliance
cis = true
cis_item_id = 4.1
cis_level = 1
cis_section_id = 4
cis_type = automated
cis_version = v2.0.0
plugin = oci
service = OCI/Identity