1. Using Oracle CASB Cloud Service
  2. Setting Up Cloud Applications for Monitoring
  3. Setting Up Amazon Web Services (AWS)
  4. Updating an AWS Instance

Updating an AWS Instance

Modify settings for an existing AWS instance.

Updating the Credentials for an AWS Instance

Change the credentials for an AWS instance.

If you need to change the credentials for an AWS instance, then you must change them in both AWS and in Oracle CASB Cloud Service.

When the authentication information that you used to register an AWS instance changes, you must also update it in the Oracle CASB Cloud Service console.

  1. Select Applications from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon Image of the Navigation Menu icon. to display it.

    • In card view, click the icon for the instance you want to modify, and then in the Health Summary, select ModifyUpdate credentials.

    • In grid view, drop down the Action list for the instance you want to modify and select Update credentials.

    Tip:

    Alternatively, from the Dashboard or the Applications page, you can select Add/Modify App, Modify an app instance, Update credentials, and then select the application instance you want to modify and click Next.

  2. In the Update Credentials page, select the authentication type:

    • If your AWS instance uses an IAM user to authenticate, drop down the Authentication type list, select Access key and secret key and then, enter the Access Key and Secret Key.

    • If your AWS instance users an IAM role to authenticate, drop down the Authentication type list, select IAM user role and then enter the User role ARN, External ID, and Account ID.

  3. If you want Oracle CASB Cloud Service to collect logs from an external account, slide the Collect logs from an external account switch to the right. Then, enter the Name of Cross-Account role and Account Number.
  4. Click Test Credentials.
  5. If the test is successful, click Next to view the confirmation page.

Updating the Security Control Baseline for an AWS Instance

Change security control baseline settings for an AWS instance that was added in either monitor-only mode or push controls mode.

When you register an AWS account in push controls mode, Oracle CASB Cloud Service sets the specified values in your account. You can change these values later if you need to.

When you register an AWS account in default, monitor-only mode, Oracle CASB Cloud Service automatically monitors for security-related configurations and generates an alert when a security control value doesn’t match the Oracle CASB Cloud Service stringent setting. For example, if an AWS administrator permits users to have 5-character passwords, then Oracle CASB Cloud Service generates an alert. For more information, see Security Control Values for AWS (Monitor Only/Read Only).

You also can register an AWS account in push controls mode, in which case Oracle CASB Cloud Service sets the desired values in your account and then generates alerts when these values are changed. For more information, see Security Control Values for AWS (Push Controls/Read-Write).

After you register your application, you can modify the alerting baseline that Oracle CASB Cloud Service uses. For example, you can change the baseline for minimum password length from 10 to 12 characters.

Note:

You can enforce the configuration of AWS IAM role definitions using a policy. See Creating Alerts for Setting AWS Roles.
  1. Select Applications from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon Image of the Navigation Menu icon. to display it.

    • In card view, click the icon for the instance that you want to modify, and then in the Health Summary, select ModifyUpdate security control baseline.

    • In grid view, drop down the Action list for the instance you want to modify and select Update security control baseline.

    Tip:

    Alternatively, from the Dashboard or the Applications page, you can select Add/Modify App, Modify an app instance, Update security control baseline, and then select the application instance you want to modify and click Next.

  2. Click the baseline type that you want: Standard, Stringent, or Custom.

    • Standard: Oracle CASB Cloud Service uses the AWS defaults.

    • Stringent: Oracle CASB Cloud Service uses its own stringent values, which are more stringent than the AWS defaults.

    • Custom: You set the exact values that you want Oracle CASB Cloud Service to enforce, and you can specify additional options that are not available under Standard or Stringent settings.

    Note:

    Only the Custom baseline option’s Access Controls section allows you to specify exceptions, and offers the following settings can only be specified if you select the Custom baseline type:

    • Require security group checking for unsecured ports.

    • Require network ACLs to use secure open ports.

    • Specify IAM admin groups to which the setting applies, when you enable Require the admin users to use multi-factor authentication.

    You must select the Custom baseline type if you want these features.

    For descriptions of the AWS security controls that you can configure, see Security Control Values for AWS (Push Controls/Read-Write).

Oracle CASB Cloud Service generates a security control alert in Risk Events whenever it detects a mismatch of any kind between the selections that you make on this page and the actual settings in the AWS instance.

Updating the IDP Instance for an AWS Instance

Change the way an AWS instance communicates with an identity provider (IDP).

You can update the way that an AWS instance communicates with an identity provider (IDP) in several ways:

  • You can change an existing AWS instance that is authenticating to an IDP instance, so that it authenticates to a different IDP instance.

  • You can switch an AWS instance from authenticating directly with the IDP to authenticating with the IDP through an IDP instance.

  • You can’t switch an AWS instance that is authenticating with the IDP through an IDP instance to directly authenticating to the IDP.

  1. Select Applications from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon Image of the Navigation Menu icon. to display it.

    • In card view, click the icon for the instance that you want to modify, and then in the Health Summary, select ModifyUpdate IDP Instance.

    • In grid view, drop down the Action list for the instance you want to modify and select Update IDP Instance.

    Tip:

    Alternatively, from the Dashboard or the Applications page, you can select Add/Modify App, Modify an app instance, Update IDP Instance, and then select the application instance you want to modify and click Next.

  2. In the Update IDP instance page, change the different IDP instance, the active application defined in the identity provider, or both, and then click Next.
  3. In the Success page, click Done.