v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/oci_compliance
Overview
3Dashboards
133Controls
43Queries
2Variables
GitHub

Control: 6.2 Ensure no resources are created in the root compartment

Description

When you create a cloud resource such as an instance, block volume, or cloud network, you must specify to which compartment you want the resource to belong. Placing resources in the root compartment makes it difficult to organize and isolate those resources.

Placing resources into a compartment will allow you to organize and have more granular access controls to your cloud resources.

Remediation

From Console

  1. Follow audit procedure above.
  2. For each item in the returned results, click the item name.
  3. Then select Move Resource or More Actions then Move Resource.
  4. Select a compartment that is not the root compartment in CHOOSE NEW COMPARTMENT.
  5. Click Move Resource.

From CLI

  1. Follow the audit procedure above.
  2. For each bucket item execute the below command:
oci os bucket update --bucket-name <bucket-name> --compartment-id <not rootcompartment-id>
  1. For other resources use the change-compartment command for the resource type:
oci <service-command> <resource-command> change-compartment --<item-id> <item-id> --compartment-id <not root compartment-id>i. Example for an Autonomous Database:oci db autonomous-database change-compartment --autonomous-database-id<autonmous-database-id> --compartment-id <not root compartment-id>

Usage

Run the control in your terminal:

powerpipe control run oci_compliance.control.cis_v200_6_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run oci_compliance.control.cis_v200_6_2 --share

SQL

This control uses a named query:

manual_control

Tags

category = Compliance
cis = true
cis_item_id = 6.2
cis_level = 1
cis_section_id = 6
cis_type = automated
cis_version = v2.0.0
plugin = oci
service = OCI/Identity