Control: 6.1 Create at least one compartment in your tenancy to store cloud resources
Description
When you sign up for Oracle Cloud Infrastructure, Oracle creates your tenancy, which is the root compartment that holds all your cloud resources. You then create additional compartments within the tenancy (root compartment) and corresponding policies to control access to the resources in each compartment.
Compartments allow you to organize and control access to your cloud resources. A compartment is a collection of related resources (such as instances, databases, virtual cloud networks, block volumes) that can be accessed only by certain groups that have been given permission by an administrator.
Compartments are a logical group that adds an extra layer of isolation, organization and authorization making it harder for unauthorized users to gain access to OCI resources.
Remediation
From Console
- Login to OCI Console.
- Select
Identityfrom the Services menu. - Select
Compartmentsfrom the Identity menu. - Click
Create Compartment. - Enter a
Name. - Enter a
Description. - Select the root compartment as the
Parent Compartment. - Click
Create Compartment.
From CLI
- Execute the following command:
oci iam compartment create --compartment-id '<tenancy-id>' --name '<compartment-name>' --description '<compartment description>'
Usage
Run the control in your terminal:
powerpipe control run oci_compliance.control.cis_v200_6_1Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run oci_compliance.control.cis_v200_6_1 --shareSQL
This control uses a named query:
with compartment_count as ( select count (compartment_id), tenant_id, tenant_name, _ctx from oci_identity_compartment where lifecycle_state = 'ACTIVE' and name <> 'ManagedCompartmentForPaaS' group by tenant_id, _ctx, tenant_name)select a.tenant_id as resource, case when a.count > 1 then 'ok' else 'alarm' end as status, case when a.count > 1 then a.count || ' compartments exist in tenancy.' else 'No additional compartments exist in tenancy.' end as reason , a.tenant_name as tenantfrom compartment_count as a left join oci_identity_tenancy as b on b.tenant_id = a.tenant_id;