v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/oci_compliance
Overview
3Dashboards
133Controls
43Queries
2Variables
GitHub

Control: 4.3 Ensure a notification is configured for Identity Provider changes

Description

It is recommended to setup an Event Rule and Notification that gets triggered when Identity Providers are created, updated or deleted. Event Rules are compartment scoped and will detect events in child compartments. It is recommended to create the Event rule at the root compartment level.

OCI Identity Providers allow management of User ID / passwords in external systems and use of those credentials to access OCI resources. Identity Providers allow users to single sign-on to OCI console and have other OCI credentials like API Keys. Monitoring and alerting on changes to Identity Providers will help in identifying changes to the security posture.

Remediation

From Console

  1. Go to the Events Service page.
  2. Select the compartment that should host the rule.
  3. Click Create Rule.
  4. Provide a Display Name and Description.
  5. Create a Rule Condition by selecting Identity in the Service Name Drop-down and selecting Identity Provider – Create, Identity Provider - Delete and Identity Provider – Update.
  6. In the Actions section select Notifications as Action Type.
  7. Select the Compartment that hosts the Topic to be used.
  8. Select the Topic to be used.
  9. Optionally add Tags to the Rule.
  10. Click Create Rule.

From CLI

  1. Find the topic-id of the Event Rule which should be used for sending Notifications by using the topic name and Compartment OCID
oci ons topic list --compartment-id=<compartment OCID> --all --query "data [?name=='<topic_name>']".{"name:name,topic_id:\"topic-id\""} --output table
  1. Create a JSON file to be used when creating the Event Rule. Replace topic id, display name, description and compartment OCID.
{
  "actions":
  {
    "actions": [
    {
      "actionType": "ONS",
      "isEnabled": true,
      "topicId": "<topic id>"
    }]
  },
  "condition":
  {
    "eventType":
      ["com.oraclecloud.identitycontrolplane.createidentityprovider",
      "com.oraclecloud.identitycontrolplane.deleteidentityprovider",
      "com.oraclecloud.identitycontrolplane.updateidentityprovider"],
    "data":{}
  },
  "displayName": "<display name>",
  "description": "<description>",
  "isEnabled": true,
  "compartmentId": "compartment OCID"
}
  1. Create the actual event rule
oci events rule create --from-json file://event_rule.json
  1. Note in the JSON returned that it lists the parameters specified in the JSON file provided and that there is an OCID provided for the Event Rule.

Usage

Run the control in your terminal:

powerpipe control run oci_compliance.control.cis_v200_4_3

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run oci_compliance.control.cis_v200_4_3 --share

SQL

This control uses a named query:

events_rule_notification_identity_provider_changes

Tags

category = Compliance
cis = true
cis_item_id = 4.3
cis_level = 1
cis_section_id = 4
cis_type = automated
cis_version = v2.0.0
plugin = oci
service = OCI/ONS