Deploy a Secure Landing Zone That Meets the CIS Foundations Benchmark for Oracle Cloud

To run your workloads in Oracle Cloud, you need a secure environment that you can operate efficiently. This reference architecture provides a Terraform-based landing zone template that meets the security guidance prescribed in the CIS Oracle Cloud Infrastructure Foundations Benchmark.

Architecture

This architecture is for a standard 3-tier network topology. The architecture starts with the compartment design for the tenancy along with groups and policies for segregation of duties. In Landing Zone V2 provisioning of Landing Zone compartments within a designated parent compartment is supported. Each of the Landing Zone compartments is assigned a group with the appropriate permissions for managing resources in the compartment and for accessing required resources in other compartments.

A standard three-tier network topology is utilized. Landing Zone V2 brings in the ability of provisioning multiple VCNs, either in standalone mode or as constituent parts of a Hub and Spoke architecture. The VCNs are out-of-box setup with the necessary routing with their inbound and outbound interfaces properly secured.

The Landing Zone includes various preconfigured security services that can be deployed in tandem with the overall architecture for a strong security posture. These services are Cloud Guard, Flow Logs, Service Connector Hub, Vault with customer managed keys, Vulnerability Scanning. Notifications are set using Topics and Events for alerting administrators about changes in the deployed resources.

The following diagram illustrates this reference architecture.

Description of oci-cis-landingzone.png follows
Description of the illustration oci-cis-landingzone.png

The architecture has the following components:

  • Tenancy

    A tenancy is a secure and isolated partition that Oracle sets up within Oracle Cloud when you sign up for Oracle Cloud Infrastructure. You can create, organize, and administer your resources in Oracle Cloud within your tenancy.

  • Policies

    An Oracle Cloud Infrastructure Identity and Access Management policy specifies who can access which resources, and how. Access is granted at the group and compartment level, which means you can write a policy that gives a group a specific type of access within a specific compartment, or to the tenancy.

  • Compartments

    Compartments are cross-region logical partitions within an Oracle Cloud Infrastructure tenancy. Use compartments to organize your resources in Oracle Cloud, control access to the resources, and set usage quotas. To control access to the resources in a given compartment, you define policies that specify who can access the resources and what actions they can perform.

    The resources in this landing zone template are provisioned in the following compartments:
    • A Network compartment for all the networking resources, including the required network gateways.
    • A Security compartment for the logging, key management, and notifications resources.
    • An AppDev compartment for the application-related services, including compute, storage, functions, streams, Kubernetes nodes, API gateway, and so on.
    • A Database compartment for all database resources.

    The grayed out icons in the diagram indicate services that are not provisioned by the template.

    This compartment design reflects a basic functional structure observed across different organizations, where IT responsibilities are typically separated among networking, security, application development, and database administrators.

  • Virtual cloud network (VCN) and subnets

    A VCN is a customizable, software-defined network that you set up in an Oracle Cloud Infrastructure region. Like traditional data center networks, VCNs give you complete control over your network environment. A VCN can have multiple non-overlapping CIDR blocks that you can change after you create the VCN. You can segment a VCN into subnets, which can be scoped to a region or to an availability domain. Each subnet consists of a contiguous range of addresses that don't overlap with the other subnets in the VCN. You can change the size of a subnet after creation. A subnet can be public or private.

    All the resources in this architecture are in a single VCN. A public subnet is used for the load balancers and bastion servers. The application and database tiers are attached to separate private subnets.

  • Internet gateway

    The internet gateway allows traffic between the public subnets in a VCN and the public internet.

  • Dynamic routing gateway (DRG)

    The DRG is a virtual router that provides a path for private network traffic between on-premises networks and VCNs and can also be used to route traffic between VCNs in the same region or across regions.

  • NAT gateway

    The NAT gateway enables private resources in a VCN to access hosts on the internet, without exposing those resources to incoming internet connections.

  • Service gateway

    The service gateway provides access from a VCN to other services, such as Oracle Cloud Infrastructure Object Storage. The traffic from the VCN to the Oracle service travels over the Oracle network fabric and never traverses the internet.

  • Oracle services network

    The Oracle services network (OSN) is a conceptual network in Oracle Cloud Infrastructure that is reserved for Oracle services. These services have public IP addresses that you can reach over the internet. Hosts outside Oracle Cloud can access the OSN privately by using Oracle Cloud Infrastructure FastConnect or VPN Connect. Hosts in your VCNs can access the OSN privately through a service gateway.

  • Network security groups (NSGs)

    NSGs act as virtual firewalls for your cloud resources. With the zero-trust security model of Oracle Cloud Infrastructure, all traffic is denied, and you can control the network traffic inside a VCN. An NSG consists of a set of ingress and egress security rules that apply to only a specified set of VNICs in a single VCN.

  • Events

    Oracle Cloud Infrastructure services emit events, which are structured messages that describe the changes in resources. Events are emitted for create, read, update, or delete (CRUD) operations, resource lifecycle state changes, and system events that affect cloud resources.

  • Notifications

    The Oracle Cloud Infrastructure Notifications service broadcasts messages to distributed components through a publish-subscribe pattern, delivering secure, highly reliable, low latency, and durable messages for applications hosted on Oracle Cloud Infrastructure.

  • Vault

    Oracle Cloud Infrastructure Vault enables you to centrally manage the encryption keys that protect your data and the secret credentials that you use to secure access to your resources in the cloud.

  • Logs
    Logging is a highly scalable and fully managed service that provides access to the following types of logs from your resources in the cloud:
    • Audit logs: Logs related to events emitted by the Audit service.
    • Service logs: Logs emitted by individual services such as API Gateway, Events, Functions, Load Balancing, Object Storage, and VCN flow logs.
    • Custom logs: Logs that contain diagnostic information from custom applications, other cloud providers, or an on-premises environment.
  • Service connectors

    Oracle Cloud Infrastructure Service Connector Hub is a cloud message bus platform. You can use it to move data between services in Oracle Cloud Infrastructure. Data is moved using service connectors. A service connector specifies the source service that contains the data to be moved, the tasks to perform on the data, and the target service to which the data must be delivered when the specified tasks are completed.

    You can use Oracle Cloud Infrastructure Service Connector Hub to quickly build a logging aggregation framework for SIEM systems.

  • Cloud Guard

    Oracle Cloud Guard helps you achieve and maintain a strong security posture in Oracle Cloud by monitoring the tenancy for configuration settings and actions on resources that could pose a security problem.

    You can use Oracle Cloud Guard to monitor and maintain the security of your resources in Oracle Cloud Infrastructure. Cloud Guard uses detector recipes that you can define to examine your resources for security weaknesses and to monitor operators and users for risky activities. When any misconfiguration or insecure activity is detected, Cloud Guard recommends corrective actions and assists with taking those actions, based on responder recipes that you can define.

  • Vulnerability Scanning Service

    Oracle Cloud Infrastructure Vulnerability Scanning Service helps improve the security posture in Oracle Cloud by routinely checking ports and hosts for potential vulnerabilities. The service generates reports with metrics and details about these vulnerabilities.

  • Object storage

    Object storage provides quick access to large amounts of structured and unstructured data of any content type, including database backups, analytic data, and rich content such as images and videos. You can safely and securely store and then retrieve data directly from the internet or from within the cloud platform. You can seamlessly scale storage without experiencing any degradation in performance or service reliability. Use standard storage for "hot" storage that you need to access quickly, immediately, and frequently. Use archive storage for "cold" storage that you retain for long periods of time and seldom or rarely access.

Recommendations

Use the following recommendations as a starting point to design and configure security for your cloud environment. Your requirements might differ from the architecture described here.

  • Network configuration

    For the VCN, select a CIDR block that doesn't overlap with any other network (in Oracle Cloud Infrastructure, your on-premises data center, or another cloud provider) to which you intend to set up private connections.

  • Monitoring security

    Use Oracle Cloud Guard to monitor and maintain the security of your resources in Oracle Cloud Infrastructure. Cloud Guard uses detector recipes that you can define to examine your resources for security weaknesses and to monitor operators and users for risky activities. When any misconfiguration or insecure activity is detected, Cloud Guard recommends corrective actions and assists with taking those actions, based on responder recipes that you can define.

  • Secure resource provisioning

    For resources that require maximum security, use security zones. A security zone is a compartment associated with an Oracle-defined recipe of security policies that are based on best practices. For example, the resources in a security zone must not be accessible from the public internet and they must be encrypted using customer-managed keys. When you create and update resources in a security zone, Oracle Cloud Infrastructure validates the operations against the policies in the security-zone recipe, and denies operations that violate any of the policies.

Considerations

When implementing this reference architecture, consider the following factors:

  • Access permissions

    The Landing Zone template can provision resources as the tenancy administrator (any user that is a member of the Administrators group) or as a user with narrower permissions. See Explore More for "Deployment Modes for CIS OCI Landing Zone".

    The Landing Zone includes policies to allow separate administrator groups to manage each compartment after the initial provisioning. The preconfigured policies are not exhaustive. When you add resources to the Terraform template, you must define the required additional policy statements.

    The Landing Zone template provisions resources as the tenancy administrator (any user that is a member of the Administrators group), and it includes policies to allow separate administrator groups to manage each compartment after the initial provisioning. The preconfigured policies are not exhaustive. When you add resources to the Terraform template, you must define the required additional policy statements.

  • Network Configuration

    The Landing Zone network can be deployed in different ways: with one to multiple standalone VCNs or in a Hub & Spoke architecture with Oracle Cloud Infrastructure DRG V2 service. It is also possible to configure the network with no Internet connectivity. Although the Landing Zone allows for switching back and forth between standalone and Hub & Spoke, it is important to plan for a specific design, as manual actions might be needed when switching.

  • Customizing the Landing Zone Template

    The Terraform configuration has a single root module and individual modules to provision the resources. This modular pattern enables efficient and consistent code reuse. To add resources to the Terraform configuration (for example, compartments or VCNs), reuse the existing modules and add the necessary module calls, similar to the existing ones in the root module. Most modules accept a map of resource objects, which are usually keyed by the resource name. To add objects to an existing container object (for example, to add a subnet to a VCN), add the subnet resources to the existing subnets map.

Deploy

The Terraform code for deploying this reference architecture is available in GitHub.

  1. Go to GitHub.
  2. Clone or download the repository to your local computer.
  3. Deploy the infrastructure by using Terraform, as described in terraform.md.

Note:

The code that you downloaded includes a script that you can use to check the security configuration of the resources in any tenancy. The script examines all the resource types referenced in the CIS Oracle Cloud Infrastructure Foundations Benchmark, and provides a summary compliance report. For more information about this script, including usage instructions, see compliance-script.md.