Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-oci-compliance
Overview
3Dashboards
133Benchmarks
43Queries
2Variables
GitHub

Control: 4.14 Ensure Cloud Guard is enabled in the root compartment of the tenancy

Description

Cloud Guard detects misconfigured resources and insecure activity within a tenancy and provides security administrators with the visibility to resolve these issues. Upon detection, Cloud Guard can suggest, assist, or take corrective actions to mitigate these issues. Cloud Guard should be enabled in the root compartment of your tenancy with the default configuration, activity detectors and responders.

Cloud Guard provides an automated means to monitor a tenancy for resources that are configured in an insecure manner as well as risky network activity from these resources.

Remediation

From Console

  1. Type Cloud Guard into the Search box at the top of the Console.
  2. Click Cloud Guard from the "Services" submenu.
  3. Click Enable Cloud Guard.
  4. Click Create Policy.
  5. Click Next.
  6. Under Reporting Region, select a region.
  7. Under Compartments To Monitor, choose Select Compartment.
  8. Under Select Compartments, select the root compartment.
  9. Under Configuration Detector Recipe, select OCI Configuration Detector Recipe (Oracle Managed).
  10. Under Activity Detector Recipe, select OCI Activity Detector Recipe (OracleManaged).
  11. Click Enable.

From CLI

  1. Create OCI IAM Policy for Cloud Guard.
oci iam policy create --compartment-id '<tenancy-id>' --name 'CloudGuardPolicies' --description 'Cloud Guard Access Policy' --statements
'[
  "allow service cloudguard to read vaults in tenancy",
  "allow service cloudguard to read keys in tenancy",
  "allow service cloudguard to read compartments in tenancy",
  "allow service cloudguard to read tenancies in tenancy",
  "allow service cloudguard to read audit-events in tenancy",
  "allow service cloudguard to read compute-management-family in tenancy",
  "allow service cloudguard to read instance-family in tenancy",
  "allow service cloudguard to read virtual-network-family in tenancy",
  "allow service cloudguard to read volume-family in tenancy",
  "allow service cloudguard to read database-family in tenancy",
  "allow service cloudguard to read object-family in tenancy",
  "allow service cloudguard to read load-balancers in tenancy",
  "allow service cloudguard to read users in tenancy",
  "allow service cloudguard to read groups in tenancy",
  "allow service cloudguard to read policies in tenancy",
  "allow service cloudguard to read dynamic-groups in tenancy",
  "allow service cloudguard to read authentication-policies in tenancy"
]'
  1. Enable Cloud Guard in root compartment
oci cloud-guard configuration update --reporting-region 'us-ashburn-1' -- compartment-id '<tenancy-id>' --status 'ENABLED'

Usage

Run the control in your terminal:

powerpipe control run oci_compliance.control.cis_v200_4_14

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run oci_compliance.control.cis_v200_4_14 --share

SQL

This control uses a named query:

select
  tenant_id as resource,
  case
    when status = 'ENABLED' then 'ok'
    else 'alarm'
  end as status,
  case
    when status = 'ENABLED' then 'CloudGuard enabled.'
    else 'CloudGuard disabled.'
  end as reason,
  reporting_region
  , tenant_name as tenant
from
  oci_cloud_guard_configuration;

Tags

category = Compliance
cis = true
cis_item_id = 4.14
cis_level = 1
cis_section_id = 4
cis_type = automated
cis_version = v2.0.0
plugin = oci
service = OCI/CloudGuard