Bulk update security controls
put
/api/v1/applications/bulk
This API will update all application instances in Oracle CASB Cloud Service. Update request type must be set to securitycontrolbulkupdate. Application Name must be specified as AWS.
Request
Supported Media Types
- application/json
Header Parameters
-
Authorization: string
Contains authorization token receieved by making create token API call. The format is 'Bearer' followed by the token which starts with v2.
-
X-Apprity-Tenant-Id: string
The tenant ID for which you are making this call.
The body for the bulk update will only have security controls to be updated, along with update type and application name.
Root Schema : ApplicationUpdateRequest
Type:
object
The body of the update request depends on the kind of update you want to make. CREDENTIALUPDATE, SECURITYCONTROLUPDATE, or SECURITYANDCREDENTIAL are the three options. Depending on your choice of update type, the corresponding fields of security control securityControls and credential credentials must be populated.
Show Source
-
applicationName:
string
Name of the application instance to be updated.
-
applicationUpdateRequestType:
string
One of these 3 values: CREDENTIALUPDATE, SECURITYCONTROLUPDATE, or SECURITYANDCREDENTIAL.
-
credentials:
object ApplicationCredentials
Body for creating credentials for AWS. The fields in the Application Credentials are needed for successfully reaching AWS and creating instance.
-
securityControls:
object SecurityControls
This body represents the security controls passed to AWS. The Security Control Type is either Stringent, Standard, or Custom.
Nested Schema : ApplicationCredentials
Type:
object
Body for creating credentials for AWS. The fields in the Application Credentials are needed for successfully reaching AWS and creating instance.
Show Source
-
accessKey:
string
AWS specifies an access key and secret key pair to create an instance. The first part of pair is the access key.
-
accountId:
string
Can be left blank, if the mode is basic. Only needed in case of cross-account.
-
externalId:
string
Can be left blank, if the mode is basic. Only needed in case of cross-account.
-
mode:
string
Can be either BASIC or CROSSACCOUNT. If it's cross-account, then role ARN, and external ID are mandatory parameters.
-
roleArn:
string
Can be left blank, if the mode is basic. Only needed in case of cross-account.
-
roleName:
string
Can be left blank, if the mode is basic. Only needed in case of cross-account.
-
secretKey:
string
AWS specifies an access key and secret key pair to create an instance. The second part of pair is the secret key.
-
serviceinstancename:
string
Can be left blank, if the mode is basic. Only needed in case of cross-account.
-
ssoproperties(optional):
array ssoproperties
Can be left blank, if the mode is basic. Only needed in case of cross-account.
Nested Schema : SecurityControls
Type:
object
This body represents the security controls passed to AWS. The Security Control Type is either Stringent, Standard, or Custom.
Show Source
-
securityControlParameters:
object SecurityControlParameters
These are the controls which AWS provides to define the security posture of an instance. See individual properties for details on each.
-
securityControlType:
string
Value set to either Stringent, Standard, or Custom.
Nested Schema : ssoproperties
Type:
array
Can be left blank, if the mode is basic. Only needed in case of cross-account.
Show Source
Nested Schema : SecurityControlParameters
Type:
object
These are the controls which AWS provides to define the security posture of an instance. See individual properties for details on each.
Show Source
-
allowUsersToChangePassword(optional):
boolean
Default Value:
false
Set to true to allow all IAM users in your account to use the IAM console to change their own passwords. -
ebsNonEncryptedVolumes(optional):
boolean
Default Value:
false
Set to true to EBS volume encryption status. -
ebsNonEncryptedVolumesFilter:
string
If you don't want to trigger alert for certain nonencrypted volumnes, then you can set those exceptions here.
-
ec2NAclAllowAllChecker(optional):
boolean
Default Value:
false
Check if network ACLs have Allow All set as the default. -
ec2NAclPortsChecker(optional):
boolean
Default Value:
false
Set to true to require network ACLs to use secure open ports. -
ec2NAclPortsCheckerFilter:
string
If there are specific unsecured ports that you don???t want to trigger an alert when your security control baseline says that secured ports are required, then you must select the Custom baseline type, and set those exceptions here.
-
ec2SecurityGroupChecker(optional):
boolean
Default Value:
false
Set to true to require security group checking for unsecured ports. -
ec2SecurityGroupCheckerFilter:
string
If you don't want to trigger alert for certain ec2 security groups, then you can set those exceptions here.
-
hardExpiry(optional):
boolean
Default Value:
false
Set this to true to prevent IAM users from choosing a new password after their current password has expired. For example, if the password policy specifies a password expiration period, but an IAM user fails to choose a new password before the expiration period ends, the IAM user cannot set a new password. In that case, the IAM user must request a password reset from an account administrator in order to regain access to the AWS Management Console. If you leave this check box cleared and an IAM user allows his or her password to expire, the user will be required to set a new password before accessing the AWS Management Console. -
maxPasswordAge(optional):
integer(int32)
Minimum Value:
1
Maximum Value:1095
You can set IAM user passwords to be valid for only the specified number of days. You specify the number of days that passwords remain valid after they are set. For example, when you enable password expiration and set the password expiration period to 90 days, an IAM user can use a password for up to 90 days. After 90 days, the password expires and the IAM user must set a new password before accessing the AWS Management Console. You can choose a password expiration period between 1 and 1095 days, inclusive. -
mfaChecker(optional):
boolean
Default Value:
false
Specify the root user to use multifactor authentication. -
minimumPasswordLength(optional):
integer(int32)
Minimum Value:
6
Maximum Value:128
Specify the minimum number of characters allowed in an IAM user password. You can enter any number from 6 to 128. -
passwordReusePrevention(optional):
integer(int32)
Minimum Value:
1
Maximum Value:24
You can prevent IAM users from reusing a specified number of previous passwords. You can set the number of previous passwords from 1 to 24, inclusive. -
r53NoHealthChecks(optional):
boolean
Default Value:
false
Check use of Route 53 health checks. -
r53NoHostedZones(optional):
boolean
Default Value:
false
Set this to true to check use of Route 53 hosted zones. -
rdsNonEncryptedDbs(optional):
boolean
Default Value:
false
Check RDS encryption status. -
rdsNonEncryptedDbsFilter:
string
If you don't want to trigger alert for certain non encrypted Dbs, then you can set those exceptions here.
-
requireLowercaseCharacters(optional):
boolean
Default Value:
false
You can require that IAM user passwords contain at least one lowercase character from the ISO basic Latin alphabet (a to z). -
requireNumbers(optional):
boolean
Default Value:
false
You can require that IAM user passwords contain at least one numeric character (0 to 9). -
requireSymbols(optional):
boolean
Default Value:
false
You can require that IAM user passwords contain at least one of the following nonalphanumeric characters:! @ # $ % ^ & * ( ) _ + - = [ ] { } | ' -
requireUppercaseCharacters(optional):
boolean
Default Value:
false
You can require that IAM user passwords contain at least one uppercase character from the ISO basic Latin alphabet (A to Z). -
s3IsMfaEnableForDeleteBucketChecker(optional):
boolean
Default Value:
false
Require multifactor authentication when deleting an S3 bucket. -
s3ServerSideEncryptChecker(optional):
boolean
Default Value:
false
Ensure that all S3 server buckets are encrypted. -
s3ServerSideEncryptCheckerFilter:
string
You can filter the results by providing the s3 buckets that are to be excluded/allowed.
Response
Supported Media Types
- application/json
- application/gzip
200 Response
Successfully updated all application instances.
Root Schema : ApplicationBulkUpdateResponse
Type:
object
The bulk update response will list out all instances for which the updates were applied to, and also the individual status of each of the individual updates.
Show Source
-
applicationName(optional):
string
Name of the application type. Only AWS is supported right now.
-
applicationUpdate(optional):
array applicationUpdate
The list of updates performed in this bulk update.
-
message(optional):
string
Message indicating success or failure of the request.
-
tenantId(optional):
string
Tenant ID under which the instance was created.
Nested Schema : applicationUpdate
Type:
array
The list of updates performed in this bulk update.
Show Source
-
Array of:
object ApplicationInstanceUpdateResponse
Each instance in a bulk update, will return a response of this kind. It will indicate whether the individual update succeeded or failed.
Nested Schema : ApplicationInstanceUpdateResponse
Type:
object
Each instance in a bulk update, will return a response of this kind. It will indicate whether the individual update succeeded or failed.
Show Source
-
instanceId(optional):
string
ID of the instance to be updated.
-
instanceName(optional):
string
Name of the instance to be updated.
-
message(optional):
string
Message indicating success or failure during updating of that particular instance.
-
status(optional):
boolean
Default Value:
false
True or False, indicating success or failure of an individual update.
400 Response
Bad request format. Check the response for more information on which fields are inaccurate. Ensure that you have a request which follows the format.
Root Schema : Error
Type:
Show Source
object
-
code(optional):
string
HTTP Status Code.
-
message(optional):
string
The error message.
401 Response
Unauthorized bulk update API call. See response for more details.
Root Schema : Error
Type:
Show Source
object
-
code(optional):
string
HTTP Status Code.
-
message(optional):
string
The error message.
403 Response
Bulk update Request is forbidden. It is likely the CASB APIs aren???t enabled for the tenant.
Root Schema : Error
Type:
Show Source
object
-
code(optional):
string
HTTP Status Code.
-
message(optional):
string
The error message.
404 Response
Resource requested was not found.
Root Schema : Error
Type:
Show Source
object
-
code(optional):
string
HTTP Status Code.
-
message(optional):
string
The error message.
500 Response
Internal Server error occured. See response for more details.
Root Schema : Error
Type:
Show Source
object
-
code(optional):
string
HTTP Status Code.
-
message(optional):
string
The error message.
Examples
The following examples show how to update all AWS application instances by submitting a PUT request.
Example Request Body: Updating Security Controls for All AWS Application Instances
{
"applicationName":"AWS",
"applicationUpdateRequestType":"SECURITYCONTROLBULKUPDATE",
"securityControls":{
"securityControlType":"custom",
"securityControlParameters": {
"minimumPasswordLength": 14,
"requireUppercaseCharacters": false,
"requireLowercaseCharacters": false,
"requireNumbers": false,
"requireSymbols": false,
"allowUsersToChangePassword": false,
"maxPasswordAge": 45,
"passwordReusePrevention": 5,
"hardExpiry": false,
"mfaChecker": false,
"s3ServerSideEncryptChecker": false,
"s3IsMfaEnableForDeleteBucketChecker": false,
"ec2SecurityGroupChecker": false,
"ec2NAclPortsChecker": false,
"ec2NAclAllowAllChecker": false,
"r53NoHostedZones": false,
"r53NoHealthChecks": false,
"ebsNonEncryptedVolumes": false,
"rdsNonEncryptedDbs": false
}
}
}
Example Response Body: Updating Security Controls for All AWS Application Instances
The following example shows the contents of the response body in JSON format:
{
"applicationName": "AWS",
"tenantId": "abcdefgh-1234-ijkl-5678-mnopqrstuvwx",
"applicationUpdate": [
{
"instanceId": "12345678-9101-abcd-efgh-ijklmnopqrst",
"instanceName": "monitor_custom_basic",
"message": "Successfully updated instance",
"status": true
},
{
"instanceId": "12345678-9101-abcd-efgh-trsqponmlkji",
"instanceName": "monitor_stringent_basic",
"message": "Successfully updated instance",
"status": true
}
],
"message": "Successfully updated all instances."
}