Skip to main content

πŸ›‘οΈ Oracle Cloud Guard is not enabled in the root compartment🟒

  • Contextual name: πŸ›‘οΈ Cloud Guard is not enabled in the root compartment🟒
  • ID: /ce/ca/oracle/cloud-guard/cloud-guard-in-root-compartment
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logic​

Similar Policies​

  • Internal: dec-x-dcb56f35

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-dcb56f351

Description​

Open File

Description​

This policy identifies Oracle Tenancies that do not have Oracle Cloud Guard enabled with an active target for the root compartment.

Oracle Cloud Guard provides security posture monitoring, detector rules, and responder capabilities for OCI resources. Configuring Cloud Guard at the root compartment helps ensure monitoring coverage starts at the tenancy boundary and includes resources across child compartments.

Rationale​

The root compartment is the top-level compartment for an OCI tenancy. If Cloud Guard is not enabled at this scope, security findings and automated response capabilities may be unavailable or incomplete for resources in the tenancy. This can create blind spots for misconfigurations, risky activity, and policy violations.

Enabling Cloud Guard for the root compartment provides a consistent baseline for tenancy-wide threat detection and security posture management.

Impact​

Cloud Guard may generate findings and responder activity that require operational review. Review detector and responder recipes before enabling automated responses in production environments.

... see more

Remediation​

Open File

Remediation​

Enable Cloud Guard in the Root Compartment​

From Oracle Cloud Console​
  1. Type Cloud Guard into the search box at the top of the Console.
  2. Click Cloud Guard from the Services submenu.
  3. Click Enable Cloud Guard.
  4. Click Create Policy.
  5. Click Next.
  6. Under Reporting Region, select a region.
  7. Under Compartments To Monitor, choose Select Compartment.
  8. Under Select Compartments, select the root compartment.
  9. Under Configuration Detector Recipe, select OCI Configuration Detector Recipe (Oracle Managed).
  10. Under Activity Detector Recipe, select OCI Activity Detector Recipe (Oracle Managed).
  11. Click Enable.
From OCI CLI​

  1. Create an OCI IAM policy that grants Cloud Guard the required read permissions in the tenancy:

    oci iam policy create \
        --compartment-id {{tenancy-id}} \
        --name "CloudGuardPolicies" \
        --description "Cloud Guard Access Policy" \
        --statements '[
          "allow service cloudguard to read vaults in tenancy",

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 36b configuration management β€”the configuration of information assets minimises vulnerabilities and is defined, assessed, registered, maintained, including when new vulnerabilities and threats are discovered, and applied consistently;22no data
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 67e users with privileged access accounts subject to a greater level of monitoring in light of the heightened risks involved.22no data
πŸ’Ό CIS Oracle v3.1.0 β†’ πŸ’Ό 4.14 Ensure Cloud Guard is enabled in the root compartment of the tenancy - Level 1 (Automated)11no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Threat Protection33no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-3(1) Additional Audit Information (M)(H)15no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-6(1) Automated Process Integration (M)(H)6no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-7(1) Automatic Processing (M)(H)4no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-3(1) Additional Audit Information (M)(H)15no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-6(1) Automated Process Integration (M)(H)6no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-7(1) Automatic Processing (M)(H)4no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.25 Assessment and decision on information security events24no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.28 Collection of evidence1622no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.15 Logging2035no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.20 Networks security615no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-3(1) Content of Audit Records _ Additional Audit Information1515no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-6(1) Audit Record Review, Analysis, and Reporting _ Automated Process Integration26no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-7(1) Audit Record Reduction and Report Generation _ Automatic Processing24no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-7(12) Software, Firmware, and Information Integrity _ Integrity Verification2022no data