🛡️ Oracle Tenancy has no active customer-managed compartments🟢

• Contextual name: 🛡️ Tenancy has no active customer-managed compartments🟢
• ID: /ce/ca/oracle/tenancy/tenancy-without-compartments
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 Oracle Tenancy
  • 🔌 Oracle Compartment - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

This policy identifies Oracle Tenancies that do not contain any active customer-managed compartments. Each tenancy should have at least one active customer-managed compartment so OCI resources can be organized under clear administrative and security boundaries instead of relying only on the root compartment or Oracle-managed compartments.

Rationale

Compartments are a foundational OCI governance control. They provide clear boundaries for resource isolation, delegated administration, IAM policy scoping, quotas, tagging, and operational ownership. Creating dedicated compartments helps organizations separate workloads by environment, application, business unit, or data sensitivity.

When a tenancy does not have any active customer-managed compartments, teams are forced to rely on the root compartment or Oracle-managed compartments for resource organization. This weakens least-privilege administration, makes policy scoping less precise, and reduces clarity around ownership and accountability.

Establishing at least one active customer-managed compartment is a basic tenancy governance requirement and a prerequisite for building a scalable compartment strategy across environments, teams, and workloads.

... see more

Remediation

Open File

Remediation

Create and Use a Customer-Managed Compartment

Create at least one active customer-managed compartment and use it as the administrative boundary for OCI workloads instead of relying only on the root compartment or the OCI-managed ManagedCompartmentForPaaS compartment.

Before remediation, confirm the following:

• The compartment naming standard aligns with your tenancy governance model.
• Required IAM policies are in place for administrators, automation, and services.
• Tags, quotas, budgets, and monitoring are configured for the new compartment as needed.
• Existing workloads that should not remain in the root compartment are planned for migration.

From Oracle Cloud Console

1. Open Identity & Security, then select Compartments.
2. Click Create Compartment.
3. For the parent compartment, select the tenancy root compartment unless your governance model requires a different parent.
4. Enter a compartment name and description that match your organizational standard.
5. Click Create Compartment.

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS Oracle v3.1.0 → 💼 6.1 Create at least one compartment in your tenancy to store cloud resources - Level 1 (Automated)			1		no data
💼 Cloudaware Framework → 💼 General Access Controls			20		no data