๐ก๏ธ Oracle Tenancy has CIS-scoped resources created in the root compartment๐ข
- Contextual name: ๐ก๏ธ Tenancy has CIS-scoped resources created in the root compartment๐ข
- ID:
/ce/ca/oracle/tenancy/resource-in-root-compartment - Tags:
- ๐ข Policy with categories
- ๐ข Policy with type
- ๐ข Production policy
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
SECURITY
Logicโ
- ๐ง prod.logic.yaml๐ข
- ๐ Oracle Tenancy
- ๐ Oracle Resource - object.extracts.yaml
- ๐งช test-data.json
Descriptionโ
Descriptionโ
This policy identifies Oracle Tenancies that have CIS-scoped resources created directly in the root compartment.
Rationaleโ
Compartments are a foundational OCI governance control. They allow organizations to separate administrative ownership, apply least-privilege IAM policies, delegate operational responsibility, and organize resources by environment, application, business unit, or data sensitivity.
Creating resources directly in the root compartment weakens those guardrails because the root compartment is intended to represent the tenancy-wide administrative boundary. Overusing it makes policy scoping harder, increases the risk of excessive access, and reduces clarity when teams need to determine ownership and accountability for deployed resources.
Keeping benchmark-scoped resources out of the root compartment supports cleaner access boundaries and a more maintainable tenancy structure.
Impactโ
Moving resources out of the root compartment can affect permissions, automation, monitoring targets, and application dependencies. Some OCI resources can be moved between compartments, while others may need to be recreated in the target compartment. Review IAM policies, tagging, automation, backup configuration, and workload dependencies before remediation.
... see more
Remediationโ
Remediationโ
Move Resources Out of the Root Compartmentโ
Create or identify dedicated target compartments for the affected workloads, then move each supported resource out of the root compartment. If OCI does not support moving a specific resource type after creation, recreate it in the correct compartment and migrate the workload.
Before remediation, confirm the following:
- The destination compartment exists and is governed by the correct IAM policies.
- Required administrators, automation, and service principals retain the necessary access after the move.
- Tags, monitoring, backups, and security controls remain aligned with the new compartment placement.
- The resource type supports an in-place compartment move. If it does not, plan for recreation and migration.
From Oracle Cloud Consoleโ
- Identify CIS-scoped resources that were created in the root compartment.
- Open each affected resource and use the OCI
Move resourceaction when it is available.- If the resource cannot be moved, recreate it in the destination compartment and migrate the workload.
... see more
policy.yamlโ
Linked Framework Sectionsโ
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| ๐ผ CIS Oracle v3.1.0 โ ๐ผ 6.2 Ensure no resources are created in the root compartment - Level 1 (Automated) | 1 | no data | |||
| ๐ผ Cloudaware Framework โ ๐ผ General Access Controls | 20 | no data |