Control: 3.8 Ensure a notification is configured for user changes

Description

It is recommended to setup an Event Rule and Notification that gets triggered when IAM Users are created, updated, deleted, capabilities updated, or state updated. Event Rules are compartment scoped and will detect events in child compartments, it is recommended to create the Event rule at the root compartment level.

Remediation

From Console

Go to the Events Service page
Select the compartment that should host the rule.
Click Create Rule.
Provide a Display Name and Description.
Create a Rule Condition by selecting Identity in the Service Name Drop-down and selecting User – Create, User – Delete, User – Update, User Capabilities – Update, User State – Update.
In the Actions section select Notifications as Action Type.
Select the Compartment that hosts the Topic to be used.
Select the Topic to be used.
Optionally add Tags to the Rule.
Click Create Rule.

From Command Line

Find the topic-id of the Event Rule which should be used for sending Notifications by using the topic name and Compartment OCID.

oci ons topic list --compartment-id=<compartment OCID> --all --query "data [?name=='<topic_name>']".{"name:name,topic_id:\"topic-id\""} --output table

Create a JSON file to be used when creating the Event Rule. Replace topic id, display name, description and compartment OCID.

{
  "actions":
  {
    "actions": [
    {
      "actionType": "ONS",
      "isEnabled": true,
      "topicId": "<topic id>"
    }]
  },
  "condition":
"{\"eventType\":[\"com.oraclecloud.identityControlPlane.CreateUser\",\"com.oraclecloud.identityControlPlane.DeleteUser\",\"com.oraclecloud.identityControlPlane.UpdateUser\"],\"com.oraclecloud.identityControlPlane.UpdateUserCapabilities\",\"com.oraclecloud.identityControlPlane.UpdateUserState\"],\"data\":{}}",
  "displayName": "<display name>",
  "description": "<description>",
  "isEnabled": true,
  "compartmentId": "compartment OCID"
}

Create the actual event rule.

oci events rule create --from-json file://event_rule.json

Note in the JSON returned that it lists the parameters specified in the JSON file provided and that there is an OCID provided for the Event Rule.

Usage

Run the control in your terminal:

powerpipe control run oci_compliance.control.cis_v110_3_8

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run oci_compliance.control.cis_v110_3_8 --share

SQL

This control uses a named query:

select
  distinct t.id as resource,
  case
    when c.name is not null then 'skip'
    when condition -> 'eventType' ?& array
      ['com.oraclecloud.identitycontrolplane.createuser',
      'com.oraclecloud.identitycontrolplane.deleteuser',
      'com.oraclecloud.identitycontrolplane.updateuser',
      'com.oraclecloud.identitycontrolplane.updateusercapabilities',
      'com.oraclecloud.identitycontrolplane.updateuserstate']
      and a ->> 'actionType' = 'ONS'
      and t.lifecycle_state = 'ACTIVE'
      and t.is_enabled then 'ok'
    else 'alarm'
  end as status,
  case
    when c.name is not null then c.name || ' not a root compartment.'
    when condition -> 'eventType' ?& array
      ['com.oraclecloud.identitycontrolplane.createuser',
      'com.oraclecloud.identitycontrolplane.deleteuser',
      'com.oraclecloud.identitycontrolplane.updateuser',
      'com.oraclecloud.identitycontrolplane.updateusercapabilities'
      'com.oraclecloud.identitycontrolplane.updateuserstate']
      and a ->> 'actionType' = 'ONS'
      and t.lifecycle_state = 'ACTIVE'
      and t.is_enabled then t.title || ' configured for IAM user changes.'
    else t.title || ' not configured for IAM user changes.'
  end as reason
  
  , t.region as region, t.tenant_name as tenant
  , coalesce(c.name, 'root') as compartment
from
  oci_events_rule t
  left join oci_identity_compartment as c on c.id = t.compartment_id,
  jsonb_array_elements(actions) as a;