Deploy a Secure Landing Zone That Meets the CIS Foundations Benchmark for Oracle Cloud

To run your workloads in Oracle Cloud, you need a secure environment that you can operate efficiently. This reference architecture provides a Terraform-based landing zone template that meets the security guidance prescribed in the CIS Oracle Cloud Infrastructure Foundations Benchmark.

Architecture

The architecture starts with the compartment design for the tenancy along with groups and policies for segregation of duties. In Landing Zone V2 provisioning of Landing Zone compartments within a designated parent compartment is supported. Each of the Landing Zone compartments is assigned a group with the appropriate permissions for managing resources in the compartment and for accessing required resources in other compartments.

Landing Zone V2 brings in the ability of provisioning multiple VCNs, either in standalone mode or as constituent parts of a Hub and Spoke architecture. The VCNs can either follow a general purpose standard three-tier network topology or oriented towards specific topologies, like supporting Oracle Exadata Database Service deployments. They are out-of-box configured with the necessary routing, with their inbound and outbound interfaces properly secured.

The Landing Zone includes various preconfigured security services that can be deployed in tandem with the overall architecture for a strong security posture. These services are Oracle Cloud Guard, Flow Logs, Oracle Cloud Infrastructure Service Connector Hub, Vault with customer managed keys, Oracle Cloud Infrastructure Vulnerability Scanning Service, Oracle Cloud Infrastructure Bastion, and Oracle Security Zones. Notifications are set using Topics and Events for alerting administrators about changes in the deployed resources.

The following diagram illustrates this reference architecture.

Description of the illustration oci-cis-landingzone.png

oci-cis-landingzone-oracle.zip

The architecture has the following components:

• Tenancy

  A tenancy is a secure and isolated partition that Oracle sets up within Oracle Cloud when you sign up for Oracle Cloud Infrastructure. You can create, organize, and administer your resources in Oracle Cloud within your tenancy. A tenancy is synonymous with a company or organization. Usually, a company will have a single tenancy and reflect its organizational structure within that tenancy. A single tenancy is usually associated with a single subscription, and a single subscription usually only has one tenancy.

• Policies

  An Oracle Cloud Infrastructure Identity and Access Management policy specifies who can access which resources, and how. Access is granted at the group and compartment level, which means you can write a policy that gives a group a specific type of access within a specific compartment, or to the tenancy.

• Compartments

  Compartments are cross-region logical partitions within an Oracle Cloud Infrastructure tenancy. Use compartments to organize your resources in Oracle Cloud, control access to the resources, and set usage quotas. To control access to the resources in a given compartment, you define policies that specify who can access the resources and what actions they can perform.

  The resources in this landing zone template are provisioned in the following compartments:

  • A Network compartment for all the networking resources, including the required network gateways.
  • A Security compartment for the logging, key management, and notifications resources.
  • An App compartment for the application-related services, including compute, storage, functions, streams, Kubernetes nodes, API gateway, and so on.
  • A Database compartment for all database resources.
  • An optional compartment for Oracle Exadata Database Service infrastructure.
  • An optional enclosing compartment containing all compartments above.

  The grayed out icons in the diagram indicate services that are not provisioned by the template.

  This compartment design reflects a basic functional structure observed across different organizations, where IT responsibilities are typically separated among networking, security, application development, and database administrators.

• Virtual cloud network (VCN) and subnets

  A VCN is a customizable, software-defined network that you set up in an Oracle Cloud Infrastructure region. Like traditional data center networks, VCNs give you complete control over your network environment. A VCN can have multiple non-overlapping CIDR blocks that you can change after you create the VCN. You can segment a VCN into subnets, which can be scoped to a region or to an availability domain. Each subnet consists of a contiguous range of addresses that don't overlap with the other subnets in the VCN. You can change the size of a subnet after creation. A subnet can be public or private.

  By default, the template deploys a general purpose standard three-tier VCN with one public subnet and two private subnets. A public subnet is used for the load balancers and bastion servers. The application and database tiers are attached to separate private subnets. The template can also create VCNs to support the deployment of specific workloads, like Oracle Exadata Database Service.

• Internet gateway

  The internet gateway allows traffic between the public subnets in a VCN and the public internet.

• Dynamic routing gateway (DRG)

  The DRG is a virtual router that provides a path for private network traffic between on-premises networks and VCNs and can also be used to route traffic between VCNs in the same region or across regions.

• NAT gateway

  A NAT gateway enables private resources in a VCN to access hosts on the internet, without exposing those resources to incoming internet connections.

• Service gateway

  The service gateway provides access from a VCN to other services, such as Oracle Cloud Infrastructure Object Storage. The traffic from the VCN to the Oracle service travels over the Oracle network fabric and never traverses the internet.

• Oracle services network

  The Oracle Services Network (OSN) is a conceptual network in Oracle Cloud Infrastructure that is reserved for Oracle services. These services have public IP addresses that you can reach over the internet. Hosts outside Oracle Cloud can access the OSN privately by using Oracle Cloud Infrastructure FastConnect or VPN Connect. Hosts in your VCNs can access the OSN privately through a service gateway.

• Network security groups (NSGs)

  Network security group (NSG) acts as a virtual firewall for your cloud resources. With the zero-trust security model of Oracle Cloud Infrastructure, all traffic is denied, and you can control the network traffic inside a VCN. An NSG consists of a set of ingress and egress security rules that apply to only a specified set of VNICs in a single VCN.

• Events

  Oracle Cloud Infrastructure services emit events, which are structured messages that describe the changes in resources. Events are emitted for create, read, update, or delete (CRUD) operations, resource lifecycle state changes, and system events that affect cloud resources.

• Notifications

  The Oracle Cloud Infrastructure Notifications service broadcasts messages to distributed components through a publish-subscribe pattern, delivering secure, highly reliable, low latency, and durable messages for applications hosted on Oracle Cloud Infrastructure.

• Vault

  Oracle Cloud Infrastructure Vault enables you to centrally manage the encryption keys that protect your data and the secret credentials that you use to secure access to your resources in the cloud. You can use the Vault service to create and manage vaults, keys, and secrets.

• Logs
  Logging is a highly scalable and fully managed service that provides access to the following types of logs from your resources in the cloud:

  • Audit logs: Logs related to events emitted by the Audit service.
  • Service logs: Logs emitted by individual services such as API Gateway, Events, Functions, Load Balancing, Object Storage, and VCN flow logs.
  • Custom logs: Logs that contain diagnostic information from custom applications, other cloud providers, or an on-premises environment.
• Service connectors

  Oracle Cloud Infrastructure Service Connector Hub is a cloud message bus platform that orchestrates data movement between services in OCI. You can use it to move data between services in Oracle Cloud Infrastructure. Data is moved using service connectors. A service connector specifies the source service that contains the data to be moved, the tasks to perform on the data, and the target service to which the data must be delivered when the specified tasks are completed.

  You can use Oracle Cloud Infrastructure Service Connector Hub to quickly build a logging aggregation framework for SIEM systems.

• Cloud Guard

  Oracle Cloud Guard helps you achieve and maintain a strong security posture in Oracle Cloud by monitoring the tenancy for configuration settings and actions on resources that could pose a security problem.

  You can use Oracle Cloud Guard to monitor and maintain the security of your resources in Oracle Cloud Infrastructure. Cloud Guard uses detector recipes that you can define to examine your resources for security weaknesses and to monitor operators and users for risky activities. When any misconfiguration or insecure activity is detected, Cloud Guard recommends corrective actions and assists with taking those actions, based on responder recipes that you can define.

• Security zone

  A security zone is associated with one or more compartments and a security zone recipe. When you create and update resources in a security zone, Oracle Cloud Infrastructure (OCI) validates these operations against the list of policies that are defined in the security zone recipe. If any security zone policy is violated, then the operation is denied.

  Security zones ensure that your OCI resources comply with your security policies, including Oracle Cloud Infrastructure Compute, Oracle Cloud Infrastructure Networking, Oracle Cloud Infrastructure Object Storage, Oracle Cloud Infrastructure Block Volumes, and Database resources.

• Vulnerability Scanning Service

  Oracle Cloud Infrastructure Vulnerability Scanning Service helps improve the security posture in Oracle Cloud by routinely checking ports and hosts for potential vulnerabilities. The service generates reports with metrics and details about these vulnerabilities.

• Bastion service

  Oracle Cloud Infrastructure Bastion service provides restricted access from specific IP addresses to target OCI resources that do not have public endpoints using Identity-based, audited and time-bound Secure Shell (SSH) sessions.

• Object Storage

  Object storage provides quick access to large amounts of structured and unstructured data of any content type, including database backups, analytic data, and rich content such as images and videos. You can safely and securely store and then retrieve data directly from the internet or from within the cloud platform. You can seamlessly scale storage without experiencing any degradation in performance or service reliability. Use standard storage for "hot" storage that you need to access quickly, immediately, and frequently. Use archive storage for "cold" storage that you retain for long periods of time and seldom or rarely access.

Recommendations

Use the following recommendations as a starting point to design and configure security for your cloud environment. Your requirements might differ from the architecture described here.

• Network configuration

  For the VCN, select a CIDR block that doesn't overlap with any other network (in Oracle Cloud Infrastructure, your on-premises data center, or another cloud provider) to which you intend to set up private connections.

• Monitoring security

  Use Oracle Cloud Guard to monitor and maintain the security of your resources in Oracle Cloud Infrastructure. Cloud Guard uses detector recipes that you can define to examine your resources for security weaknesses and to monitor operators and users for risky activities. When any misconfiguration or insecure activity is detected, Cloud Guard recommends corrective actions and assists with taking those actions, based on responder recipes that you can define.

• Secure resource provisioning

  For resources that require maximum security, use security zones. A security zone is a compartment associated with an Oracle-defined recipe of security policies that are based on best practices. For example, the resources in a security zone must not be accessible from the public internet and they must be encrypted using customer-managed keys. When you create and update resources in a security zone, Oracle Cloud Infrastructure validates the operations against the policies in the security-zone recipe, and denies operations that violate any of the policies.

Considerations

When implementing this reference architecture, consider the following factors:

• Access permissions

  The Landing Zone template can provision resources as the tenancy administrator (any user that is a member of the Administrators group) or as a user with narrower permissions. See Explore More for "Deployment Modes for CIS OCI Landing Zone".

  The Landing Zone template provisions resources as the tenancy administrator (any user that is a member of the Administrators group), and it includes policies to allow separate administrator groups to manage each compartment after the initial provisioning. The preconfigured policies do not cover all possible resources available in OCI, that is, they are applicable to the resources currently deployed by the template. If you add resources to the Terraform template, you must define the required additional policy statements.

• Network Configuration

  The Landing Zone network can be deployed in different ways: with one to multiple standalone VCNs or in a Hub & Spoke architecture with Oracle Cloud Infrastructure DRG V2 service. It is also possible to configure the network with no Internet connectivity. Although the Landing Zone allows for switching back and forth between standalone and Hub & Spoke, it is important to plan for a specific design, as manual actions might be needed when switching.

• Customizing the Landing Zone Template

  The Terraform configuration has a single root module and individual modules to provision the resources. This modular pattern enables efficient and consistent code reuse. To add resources to the Terraform configuration, reuse the existing modules, but override the specific variable with your required configuration using Terraform's override files. For example, to add a new compartment, define a new map of compartment objects in your override.tf file with the same name as the original map of compartments. For more details, see Customizing the Landing Zone.

Deploy

The Terraform code for this solution is available in GitHub. You can pull the code into Oracle Cloud Infrastructure Resource Manager with a single click, create the stack, and deploy it. Alternatively, download the code from GitHub to your computer, customize the code, and deploy the architecture by using the Terraform CLI.

• Deploy by using Oracle Cloud Infrastructure Resource Manager:
  1. Click

     If you aren't already signed in, enter the tenancy and user credentials.

  2. Review and accept the terms and conditions.
  3. Select the region where you want to deploy the stack.
  4. Follow the on-screen prompts and instructions to create the stack.
  5. After creating the stack, click Terraform Actions, and select Plan.
  6. Wait for the job to be completed, and review the plan.

     To make any changes, return to the Stack Details page, click Edit Stack, and make the required changes. Then, run the Plan action again.

  7. If no further changes are necessary, return to the Stack Details page, click Terraform Actions, and select Apply.
• Deploy by using the Terraform CLI:
  1. Go to GitHub.
  2. Download or clone the code to your local computer.
  3. Follow the instructions in the README.

Explore More

Learn more about setting up and operating a secure environment in Oracle Cloud.

• Best practices framework for Oracle Cloud Infrastructure
• Security checklist for Oracle Cloud Infrastructure
• CIS Oracle Cloud Infrastructure Foundations Benchmark

See the following blog posts:

• Creating a Secure Multi-Region Landing Zone
• OCI Secure Landing Zone Quick Start Template, Version 2
• OCI Secure Landing Zone Deployment Modes
• How to Deploy OCI Secure Landing Zone for Exadata Cloud Service

Change Log

This log lists significant changes:

May 2, 2023	Revised the architecture diagram and corresponding text. Revised the following sections in Considerations: "Access permissions", and "Customizing the Landing Zone Template". Updated Deploy. You can also deploy directly from GitHub using the Deploy to Oracle Cloud button.
October 19, 2021	Revised the architecture diagram and text to include the optional Oracle Exadata compartment and administrator. Enhanced the content in Architecture, Considerations, and Deploy sections.