1. Best practices framework for Oracle Cloud Infrastructure
  2. Monitor and Audit Your Environment

Monitor and Audit Your Environment

Ensure you are using the correct controls to monitor and audit your environment

Enable Cloud Guard for Monitoring

Enterprise Architect, Security Architect

Oracle Cloud Guard allows you to gain a unified view of cloud security posture across Oracle Cloud Infrastructure customer tenants.

Oracle Cloud Guard detects misconfigured resources and insecure activity across tenants and provides security administrators with the visibility to triage and resolve cloud security issues. Security inconsistencies can be automatically remediated with out-of-the-box security recipes to effectively scale the security operations center.

Ensure Cloud Guard is enabled at the root level of your tenancy to monitor all of your compartments.

Configure Auditing

Enterprise Architect, Security Architect

The Oracle Cloud Infrastructure Audit service automatically records calls to all supported Oracle Cloud Infrastructure public application programming interface (API) endpoints as log events.
Currently, all services support logging by Oracle Cloud Infrastructure Audit.

Oracle Cloud Infrastructure Object Storage supports logging for bucket-related events, but not for object-related events. Log events recorded by Oracle Cloud Infrastructure Audit include API calls made by the Oracle Cloud Infrastructure console, Command Line Interface (CLI), Software Development Kits (SDK), your own custom clients, or other Oracle Cloud Infrastructure services. Information in the logs includes the following:

  • Time the API activity occurred.
  • Source of the activity.
  • Target of the activity.
  • Type of action.
  • Type of response.

Each log event includes a header ID, target resources, timestamp of the recorded event, request parameters, and response parameters. You can view events logged by Oracle Cloud Infrastructure Audit by using the console, API, or the SDK for Java. Data from events can be used to perform diagnostics, track resource usage, monitor compliance, and collect security-related events.

  • Ensure audit retention is set to 365 Days.
  • If you have third party tools that need to access Oracle Cloud Infrastructure Audit data, configure a Service Connector Hub to copy Oracle Cloud Infrastructure Audit data to an Object Store, with an appropriate retention period set.

Audit Your Policies

Enterprise Architect, Security Architect

Periodically review your policies to be sure they meet good security practices.

A policy auditor may review IAM policies in an ad-hoc manner using the Oracle Cloud Infrastructure console. There are also several options that can be leveraged to generate policy reports for offline analysis.

Cloud Guard has two configuration detector recipes and one activity detector recipe specifically for IAM policies:

  • Policy gives too many privileges.
  • Tenancy admin privilege granted to group.
  • Security policy modified.

While Oracle-managed recipes can be modified, Oracle recommends cloning the recipes to allow you to alter the objects that are targeted by these rules (through the use of tags or compartments). This allows production environments within a tenancy to have tighter controls, while relaxing the restrictions in non-production environments that reside in a different compartment in the tenancy. If you need to review IAM policies on a more granular level, Oracle recommends using the Security Policy Modified detector to trigger an event that:

  • Triggers a manual review via the policy.
  • Invokes a funciton to perform investigation or remediation.

When you audit your policies, consider the following potential issues:

  • Where are your policies defined, and do they comply with your organization's standards for compartment usage?
  • Audit the usage of dynamic groups. Do these groups grant excess privileges?
  • What services are configured and where are they located? It may be that some services should be limited to certain compartments or groups.
  • Locate any remove any duplicated statements.
  • Identify policies that grant privileges to the whole tenancy.
  • Identify groups that have more privileges than they need.

Continuously Scan for Vulnerabilities

Enterprise Architect, Security Architect

Oracle Vulnerability Scanning Service helps improve your security posture in Oracle Cloud Infrastructure by routinely checking hosts for potential vulnerabilities. The service generates reports with metrics and details about these vulnerabilities.

The core capabilities of the Oracle Vulnerability Scanning Service are:

  • A simple, on by default, prescriptive, and free scanning suite that is tightly integrated with the Oracle Cloud Infrastructure platform.
  • Default plugins and engines based on Oracle Cloud Infrastructure-created and open-source scanning engines for host and container scanning.
  • Oracle Cloud Infrastructure manages the deployment, configuration, and upgrade of these engines and agents across the customer fleet.
  • Problems detected by the scanning suite will be surfaced through Oracle Cloud Guard, with rules and ML to prioritize critical vulnerabilities.
  • Oracle Cloud Infrastructure will take action (alert, auto-remediate, or quarantine) through responders to shorten the time from detection to remediation, including through maximum security zones.

Learn More