Oracle Cloud Infrastructure Documentation

CIS 1.2 Level 1 Security Controls

The following information provides the Center for Internet Security, Inc. (CIS) security controls included in OELZ v2.

Recommendation 1.1: Ensure service level admins are created to manage resources of particular service (Manual)

  • Level: 1
  • Compliant: Yes
  • Oracle Enterprise Landing Zone: The following IAM Groups are Network-Admins, Security-Admins, Platform-Admins, IAM-Admins, and Ops-Admins created according to the policies for managing their service resources.

Recommendation 1.2: Ensure permissions on all resources are given only to the tenancy administrator group (Manual)

  • Level: 1
  • Compliant: Yes
  • Oracle Enterprise Landing Zone: Only the Administrators Group has permission for all resources.  A single account break_glass_user_<number> is assigned to the Administrators Group.

Recommendation 1.3 : IAM-Admins cannot update tenancy Administrators group (Manual)

  • Level: 1
  • Compliant: Yes
  • Oracle Enterprise Landing Zone: IAM Admins are allowed to manage groups, dynamic groups, and policies. IAM Admins should also be able to manage users and group permissions by way of IDP. They can use and manage their credentials including API keys and auth tokens**.

Recommendation 1.4: Ensure IAM password policy requires minimum length of 14 or greater (Manual)

  • Level: 1
  • Compliant: Yes
  • Oracle Enterprise Landing Zone: Custom Password Policy for Password length (minimum)

Recommendation 1.5: Ensure IAM password policy expires passwords within 365 days (Manual)

  • Level: 1
  • Compliant: No
  • Oracle Enterprise Landing Zone: Need custom Password Policy for Expires after (days). No Terraform available. Need a custom password policy.
    1. Open the navigation menu and click Identity & Security. Under Identity, click Domains.
    2. Select the identity domain you want to work in and click Settings.
    3. Click Password policy.
    4. Select the policy you want to modify. On the policy details page, click Edit password rules.
    5. Select Click Custom.
    6. Edit the criteria Expires after (days).
    7. Input 60 (recommended).

Recommendation 1.6: Ensure IAM password policy prevents password reuse (Manual)

  • Level: 1
  • Compliant: No
  • Oracle Enterprise Landing Zone: Need custom Password Policy for Expires after (days). No Terraform available. Need a custom password policy.
    1. Open the navigation menu and click Identity & Security. Under Identity, click Domains.
    2. Select the identity domain you want to work in and click Settings.
    3. Click Password policy.
    4. Select the policy you want to modify. On the policy details page, click Edit password rules.
    5. Click Custom.
    6. Input 24 (recommended).

Recommendation 1.7 : Ensure MFA is enabled for all users with a console password (Automated)

  • Level: 1
  • Compliant: Customer
  • Oracle Enterprise Landing Zone: Customer responsibility

Recommendation 1.8 : Ensure user API keys rotate within 90 days or less (Automated)

  • Level: 1
  • Compliant: Customer
  • Oracle Enterprise Landing Zone: Customer responsibility

Recommendation 1.9: Ensure user customer secret keys rotate within 90 days or less (Automated)

  • Level: 1
  • Compliant: Customer
  • Oracle Enterprise Landing Zone: Customer responsibility

Recommendation 1.10: Ensure user auth tokens rotate within 90 days or less (Automated)

  • Level: 1
  • Compliant: Customer
  • Oracle Enterprise Landing Zone: Customer responsibility

Recommendation 1.11: Ensure API keys are not created for tenancy administrator users (Automated)

  • Level: 1
  • Compliant: Customer
  • Oracle Enterprise Landing Zone: Customer responsibility

Recommendation 1.12: Ensure all OCI IAM user accounts have a valid and current email address (Manual)

  • Level: 1
  • Compliant: Customer
  • Oracle Enterprise Landing Zone: Customer responsibility

Recommendation 1.13: Ensure Dynamic Groups are used for OCI instances, OCI Cloud Databases and OCI Function to access OCI resources. (Manual)

  • Level: 1
  • Compliant: Customer
  • Oracle Enterprise Landing Zone: Customer responsibility

Recommendation 2.1: Ensure no security lists allow ingress from 0.0.0.0/0 to port 22 (Automated)

  • Level: 1
  • Compliant: Yes
  • Oracle Enterprise Landing Zone: The default security list is locked down and does not allow ingress from port 22

Recommendation 2.2: Ensure no security lists allow ingress from 0.0.0.0/0 to port 3389 (Automated)

  • Level: 1
  • Compliant: Yes
  • Oracle Enterprise Landing Zone: The default security list is locked down and does not allow ingress from port 3389

Recommendation 2.3: Ensure no network security groups allow ingress from 0.0.0.0/0 to port 22 (Manual)

  • Level: 1
  • Compliant: Yes
  • Oracle Enterprise Landing Zone: No Network security group allow ingress from port 22

Recommendation 2.4: Ensure no network security groups allow ingress from 0.0.0.0/0 to port 3389 (Manual)

  • Level: 1
  • Compliant: Yes
  • Oracle Enterprise Landing Zone: No Network security group allow ingress from port 3389

Recommendation 2.5: Ensure the default security list of every VCN restricts all traffic except ICMP (Automated)

  • Level: 1
  • Compliant: Yes
  • Oracle Enterprise Landing Zone: The default security list of every VCN restricts all traffic with the exception of ICMP

Recommendation 2.6: Ensure Oracle Integration Cloud (OIC) access is restricted to allowed sources. (Manual)

  • Level: 1
  • Compliant: Customer
  • Oracle Enterprise Landing Zone: Customer responsibility

Recommendation 2.7: Ensure Oracle Analytics Cloud (OAC) access is restricted to allowed sources or deployed within a Virtual Cloud Network. (Manual)

  • Level: 1
  • Compliant: Customer
  • Oracle Enterprise Landing Zone: Customer responsibility

Recommendation 2.8: Ensure Oracle Autonomous Shared Databases (ADB) access is restricted to allowed sources or deployed within a Virtual Cloud Network (Manual)

  • Level: 1
  • Compliant: Customer
  • Oracle Enterprise Landing Zone: Customer responsibility

Recommendation 3.1 : Ensure audit log retention period is set to 365 days (Automated)

  • Level: 1
  • Compliant: Yes
  • Oracle Enterprise Landing Zone: Audit log retention variable is set to 365 days

Recommendation 3.2 : Ensure default tags are used on resources (Manual)

  • Level: 1
  • Compliant: Yes
  • Oracle Enterprise Landing Zone: The Oracle Enterprise Landing Zone includes a set of free-form tags that are applied to resources created within the template. Each resource is given a default assigned value for the Description tag. The values that you define when you create the Oracle Enterprise Landing Zone stack propagate to the CostCenter and GeoLocation tags.

Recommendation 3.3: Create at least one notification topic and subscription to receive monitoring alerts (Manual)

  • Level: 1
  • Compliant: Yes
  • Oracle Enterprise Landing Zone: IAM and network notifications and subscriptions to receive monitoring alerts by their corresponding admin groups

Recommendation 3.4: Ensure a notification is configured for Identity Provider changes (Manual)

  • Level: 1
  • Compliant: Yes
  • Oracle Enterprise Landing Zone: IAM notification is enabled for all IAM changes including IDP changes

Recommendation 3.5: Ensure a notification is configured for IdP group mapping changes (Manual)

  • Level: 1
  • Compliant: Yes
  • Oracle Enterprise Landing Zone: IAM notification is enabled for all IAM changes including group mapping changes

Recommendation 3.6: Ensure a notification is configured for IAM group changes (Manual)

  • Level: 1
  • Compliant: Yes
  • Oracle Enterprise Landing Zone: IAM notification is enabled for all IAM changes including IAM group changes

Recommendation 3.7: Ensure a notification is configured for IAM policy changes (Manual)

  • Level: 1
  • Compliant: Yes
  • Oracle Enterprise Landing Zone: IAM notification is enabled for all IAM changes including IAM policy changes

Recommendation 3.8: Ensure a notification is configured for user changes (Manual)

  • Level: 1
  • Compliant: Yes
  • Oracle Enterprise Landing Zone: IAM notification is enabled for all IAM changes including any user changes

Recommendation 3.9: Ensure a notification is configured for VCN changes (Manual)

  • Level: 1
  • Compliant: Yes
  • Oracle Enterprise Landing Zone: Network notification is enabled for all network changes including VCN changes, all VCN subnets are monitored

Recommendation 3.10: Ensure a notification is configured for changes to route tables (Manual)

  • Level: 1
  • Compliant: Yes
  • Oracle Enterprise Landing Zone: Network notification is enabled for all network changes including changes to route tables

Recommendation 3.11: Ensure a notification is configured for security list changes (Manual)

  • Level: 1
  • Compliant: Yes
  • Oracle Enterprise Landing Zone: Network notification is enabled for all network changes including changes to security lists

Recommendation 3.12: Ensure a notification is configured for network security group changes (Manual)

  • Level: 1
  • Compliant: Yes
  • Oracle Enterprise Landing Zone: Network notification is enabled for all network changes including changes to network security group

Recommendation 3.13: Ensure a notification is configured for  changes to network gateways (Manual)

  • Level: 1
  • Compliant: Yes
  • Oracle Enterprise Landing Zone: Network notification is enabled for all network changes including changes to network gateways

Recommendation 3.14: Ensure VCN flow logging is enabled for all subnets (Manual)

  • Level: 1
  • Compliant: Yes
  • Oracle Enterprise Landing Zone: VCN flow logging is enabled for all subnets

Recommendation 3.15: Ensure Cloud Guard is enabled in the root compartment of the tenancy (Manual)

  • Level: 1
  • Compliant: Yes
  • Oracle Enterprise Landing Zone: Cloud Guard is enabled in the root compartment of the tenancy home region.  Note that for brownfield customers, Cloud Guard may already be deployed in the tenancy home region and Oracle Enterprise Landing Zone would not need to re-deploy Cloud Guard.

Recommendation 3.16: Ensure customer-created Customer Managed Key (CMK) is rotated at least annually (Manual)

  • Level: 1
  • Compliant: Customer
  • Oracle Enterprise Landing Zone: Customer responsibility

Recommendation 4.1.1: Ensure no Object Storage buckets are publicly visible (Manual)

  • Level: 1
  • Compliant: Yes
  • Oracle Enterprise Landing Zone: Public visibility is disabled for the Oracle Enterprise Landing Zone Object Storage buckets

Recommendation 5.1: Create at least one compartment in your tenancy to store cloud resources (Manual)

  • Level: 1
  • Compliant: Customer
  • Oracle Enterprise Landing Zone: Compartments are created, for example, Network Compartment and the Network-Admins group is assigned appropriate access.

Recommendation 5.2: Ensure no resources are created in the root compartment (Manual)

  • Level: 1
  • Compliant: Yes
  • Oracle Enterprise Landing Zone: No cloud resources, such as compute instance, block volume storage, or network services are created at the root compartment by Oracle Enterprise Landing Zones