Practices for Lesson: Cloud
Security Posture
Management
Practice: Explore Cloud Guard Components
Tasks
1.
Sign in to the Oracle Cloud account.
Note: This practice may not work on the OU account. Please use a 30-days free trial Oracle
cloud account if needed.
2.
Cloud Guard is enabled in your tenancy. You will make your compartment a target and look
into the features of Cloud Guard.
3.
To navigate to Cloud Guard, use Menu > Identity & Security > Cloud Guard
Copyright © 2021, Oracle and/or its affiliates.
102
Practices for Lesson: Cloud Security Posture Management
4.
You are taken to the Cloud Guard home page. A dashboard with the current Cloud Guard
observations is displayed.
5.
If the Guided Tour is displayed, go through the same to explore the various features. You
can also click Stop tour if you are not interested in the tour.
6.
Once you close the tour, the dashboard with various options under Cloud Guard on the left
side in the browser window is displayed.
Copyright © 2021, Oracle and/or its affiliates.
Practices for Lesson: Cloud Security Posture Management
103
7.
Click Detector Recipes.
8.
The Oracle Managed recipes are listed within the root compartment. Ensure you have
chosen the root compartment in the scope for compartment.
9.
Two detector recipes are listed, one is of type Configuration and the other of type Activity.
Click the link to Oracle Configuration Detector Recipe to look into the detector details.
Copyright © 2021, Oracle and/or its affiliates.
104
Practices for Lesson: Cloud Security Posture Management
10. Various detector rules are part of this recipe.
11. To look into the details of a particular rule, click the expand icon as shown below. The
example is for a rule titled “VCN Security List allows traffic to restricted port.”
12. This rule is identified as a critical risk level. Look into the details of other rules listed.
Copyright © 2021, Oracle and/or its affiliates.
Practices for Lesson: Cloud Security Posture Management
105
13. If you are interested to look into specific risk-level related rules, you can use the filter for
risk level, and only those rules will be listed.
14. In the breadcrumb on the top left, click Detector Recipes to go back to the Detector Recipes
page.
15. Click the OCI Activity detector recipe and explore the rules that are within it.
16. You also see that for the built-in, Oracle-Managed detector recipes, you have the ability to
clone the recipe. You can clone an existing recipe and customize it to your needs.
Copyright © 2021, Oracle and/or its affiliates.
106
Practices for Lesson: Cloud Security Posture Management
17. Go to the Detector Recipes page and click Responder Recipes.
18. There is one responder recipe listed, which is an Oracle Managed Recipe.
19. Click the responder recipe and look into the responder rules part of this recipe. Click the
expand icon to look into the different rules that are present.
Copyright © 2021, Oracle and/or its affiliates.
Practices for Lesson: Cloud Security Posture Management
107
20. Responder recipes can also be cloned and customized by tenants.
21. Use the breadcrumb and go to the Responder Recipe page, and from the Cloud Guard
panel on the left side, click Managed Lists.
Copyright © 2021, Oracle and/or its affiliates.
108
Practices for Lesson: Cloud Security Posture Management
22. Click the Oracle Cloud Guard CIDR Managed list. It is a list of PUBLIC IP address CIDR
created as a managed list.
23. Go back to the Managed Lists listing page, and you see an option to create your own
managed list. Click Create Managed List; you will get a pop-up window as shown below.
Copyright © 2021, Oracle and/or its affiliates.
Practices for Lesson: Cloud Security Posture Management
109
24. You can create your own managed listed, which could be of various types based on your
needs/requirements.
25. Click Cancel; you will not be creating a managed list in this practice.
26. On the left panel for Cloud Guard, click Settings.
27. You can see the reporting region listed. If you are in the Home region of your tenancy, you
will also see the option to Disable Cloud Guard (if it is already enabled). If you are in any
other region, this button will be disabled.
This completes the task of exploring Cloud Guard components.
Copyright © 2021, Oracle and/or its affiliates.
110
Practices for Lesson: Cloud Security Posture Management
Practice: Enable Cloud Guard
Tasks
1.
Log in to the browser console and go to Security-> Cloud Guard.
2.
Click Detector Recipes. Ensure you are in the root compartment so that you see the two
Oracle Managed detector recipes.
3.
Click Clone to clone an Oracle Managed recipe and create your own detector recipe.
Copyright © 2021, Oracle and/or its affiliates.
Practices for Lesson: Cloud Security Posture Management
111
4.
In the pop-up window for the clone, enter the following:
Cloning – OCI Configuration Detector Recipe (Oracle Managed)
Name – Custom Configuration Detector
Description – Enter any meaningful description
Compartment Assigned – Choose the compartment assigned to you
5.
Click Clone to create your own detector recipe based on the Oracle Managed recipe.
Copyright © 2021, Oracle and/or its affiliates.
112
Practices for Lesson: Cloud Security Posture Management
6.
In the compartment selection (under Filter on the left side), choose your compartment,
where the cloned recipe resides to see the cloned detector recipe you created.
7.
Click the recipe name, and you will see the list of detector rules. For now, you will not make
any changes (if required, you can customize the rules).
8.
Next, you will enable Cloud Guard in your compartment using this recipe.
Copyright © 2021, Oracle and/or its affiliates.
Practices for Lesson: Cloud Security Posture Management
113
9.
Use the breadcrumb and go to the Detector Recipes page. Click Targets.
10. Click Create New Target button.
11. In the pop-up window, enter the following details:
Target Name – <YourCompName>_CG
Description – Meaningful description
Compartment Assigned – <YourCompartment>
Configuration Detector Recipe – Custom Detector Recipe you created earlier
Copyright © 2021, Oracle and/or its affiliates.
114
Practices for Lesson: Cloud Security Posture Management
Activity Detector Recipe – Oracle Managed Activity Detector Recipe
Responder Recipe – None
12. Click Create to create target. Your target is created and listed.
Copyright © 2021, Oracle and/or its affiliates.
Practices for Lesson: Cloud Security Posture Management
115
13. Click your target to look into the details.
14. You can see the recipes that you associated are listed in the detector and responder
recipes, and the target is the compartment you selected.
15. Wait for Cloud Guard to evaluate your current configuration with detectors and list its
observations. You will need to wait for 25–30 minutes; take a break and visit the screen
again and continue with the next steps.
16. On Cloud Guard page, go to the Problems section.
Copyright © 2021, Oracle and/or its affiliates.
116
Practices for Lesson: Cloud Security Posture Management
17. There are a list of problems identified based on the practices you did earlier, which includes
about the VCN and Compute Settings. These are identified based on the detector recipe
you had associated.
18. Click on any problem identified; for example, the below screenshot is for the problem
“Instance has a Public IP.”
19. Scroll down the page to see the sections under Resources for problem history and
responder activity.
20. As per the problem details, you have the option to remediate (if there are any responder
suggestions) or mark it as resolved or dismiss the problem.
Copyright © 2021, Oracle and/or its affiliates.
Practices for Lesson: Cloud Security Posture Management
117
21. Note: In order to remediate, Cloud Guard will need permissions to do actions on your
behalf for that resource.
22. If you choose Mark as Resolved, then you can type a comment to have a log of why you
marked it as resolved.
Copyright © 2021, Oracle and/or its affiliates.
118
Practices for Lesson: Cloud Security Posture Management
23. If you choose Dismiss, you can add a comment on why dismissed it.
24. Similarly, look into other problems reported, related to VCN and other resources.
This completes the task of enabling a target compartment in Cloud Guard and explore the
features.
Copyright © 2021, Oracle and/or its affiliates.
Practices for Lesson: Cloud Security Posture Management
119
Practice: Use Security Zones
Tasks
1.
Log in to OCI with the credentials provided. Click Menu > Identity & Security > Security
Zones.
Copyright © 2021, Oracle and/or its affiliates.
120
Practices for Lesson: Cloud Security Posture Management
2.
In the Security Zones page, click Recipes on the left side.
3.
As of the time this content was created, there are no custom recipes. The tenant has to use
only the Oracle provided recipe.
4.
Click the Recipe – Maximum Security Recipe to see the details.
Copyright © 2021, Oracle and/or its affiliates.
Practices for Lesson: Cloud Security Posture Management
121
5.
Various policies are listed, which you can look into. Notice in the list of policies there are
policies that Deny Internet Gateway, Public Buckets, etc. (Use the navigation at the bottom
right side to go to next pages and view the policies.)
6.
Use the breadcrumb on the top and click Security Zones to go to the home page of security
zones.
7.
When you create a security zone, you are creating a compartment that will comply by the
Security Zone recipe.
Copyright © 2021, Oracle and/or its affiliates.
122
Practices for Lesson: Cloud Security Posture Management
8.
Click Create Security Zone. In the pop-up window, enter the following details:
Name – <YourComp>_SZ
Description – Meaningful description
Create in Compartment – Choose the compartment assigned to you
9.
Click Create Security Zone. OCI will create a compartment with the name within the
compartment you have chosen. This will take a while to reflect as IAM components created
will have to be refreshed.
10. Once you create the security zone, it is listed on the Security Zones page.
11. With security zones, the compartment that is protected by the security zone will deny all
these. You can test it with the following two examples.
Copyright © 2021, Oracle and/or its affiliates.
Practices for Lesson: Cloud Security Posture Management
123
12. First, you will create a bucket and make it public. Go to Object Storage and create a bucket
as shown below.
13. Go to Object Storage – Object Storage using the menu.
14. Notice that there is a compartment created with the security zone name as a child to your
compartment.
15. Choose the child compartment created as part of the security zone and click Create Bucket.
Copyright © 2021, Oracle and/or its affiliates.
124
Practices for Lesson: Cloud Security Posture Management
16. Give the following details and create the bucket.
Bucket Name – <YourCompSZ>_Bucket
Default Storage Tier – Standard
Accept defaults for the other options.
17. Click Create.
18. You will get an error that you must assign a master encryption key from your own vault.
19. In the Bucket creation page, choose the option Encrypt using Customer-Managed keys
under Encryption.
Copyright © 2021, Oracle and/or its affiliates.
Practices for Lesson: Cloud Security Posture Management
125
20. In the vault, choose Change Compartment, and choose the compartment in which you
created the vault in an earlier practice and choose the vault you created. Similarly, change
the compartment for master encryption key and choose a master encryption key you
created. The Encryption section should look similar to the screenshot given below.
21. Click Create to create the bucket.
22. Now the bucket will be created. Similarly, various other settings can be explored.
23. Another example is to create a VCN with the wizard with Internet connectivity.
24. Such a VCN gets various components including a public subnet and Internet Gateway,
which are disallowed in a security zone.
Copyright © 2021, Oracle and/or its affiliates.
126
Practices for Lesson: Cloud Security Posture Management
25. Use the menu and navigate to Networking -> Virtual Cloud Networks.
26. In the List Scope section on the left side, choose the compartment of the security zone.
Copyright © 2021, Oracle and/or its affiliates.
Practices for Lesson: Cloud Security Posture Management
127
27. Click Start VCN Wizard. Choose VCN with Internet connectivity.
Copyright © 2021, Oracle and/or its affiliates.
128
Practices for Lesson: Cloud Security Posture Management
28. Give a meaningful name to the VCN and ensure the compartment is the security zone
compartment.
29. Accept the defaults and click Next.
30. On the Summary page, click Create.
Copyright © 2021, Oracle and/or its affiliates.
Practices for Lesson: Cloud Security Posture Management
129
31. Observe that various components are created, but public subnet and Internet Gateway are
not created as they violate the security zone policies.
32. Even if you retry, they will not be created. The security zone will not allow. Click Close to
explore the VCN created.
33. Click the link on the name of the VCN to see the components created as part of the wizardbased VCN creation.
Copyright © 2021, Oracle and/or its affiliates.
130
Practices for Lesson: Cloud Security Posture Management
34. The VCN is created without the public subnet and Internet Gateway.
35. When you use security zones, you are proactively restricting what can be used within OCI;
thus, the compartment is having the best practices of Security Implemented.
36. If you are interested, you can also try out integrating Cloud Guard with OCI Events and
Notification services (which you learned in a previous lesson).
Copyright © 2021, Oracle and/or its affiliates.
Practices for Lesson: Cloud Security Posture Management
131
Copyright © 2021, Oracle and/or its affiliates.
132
Practices for Lesson: Cloud Security Posture Management