Best practice rules for Oracle Cloud Infrastructure

Use Customer-Managed Keys (CMKs) to encrypt your OCI Block Volume data.

Use Customer-Managed Keys (CMKs) to encrypt your OCI Boot Volume data.

Ensure that OCI Block Volume VPUs are configured appropriately for workload requirements.

Enable ongoing automatic asynchronous replication of Block Volumes across OCI regions.

Ensure that performance-based autotuning is enabled for OCI Block Volumes.

Ensure that performance-based autotuning is enabled for OCI Boot Volumes.

Use backup policies to schedule backups for Block Volumes in Oracle Cloud Infrastructure (OCI).

Ensure that Cloud Guard is enabled for your OCI compartments.

Avoid using public IP addresses for OCI compute instances unless it's necessary for business operations.

Ensure that Cloud Guard Workload Protection feature is enabled for OCI compute instances.

Ensure that compute instance monitoring is enabled for your OCI compute instances.

Ensure that custom logs monitoring is enabled for your OCI compute instances.

Ensure that encryption of data in transit is enabled for OCI compute instances.

Ensure that OS Management Service is enabled for OCI compute instances.

Ensure that Secure Boot is enabled for shielded Oracle Cloud Infrastructure (OCI) compute instances.

Ensure that the Vulnerability Scanning feature is enabled for OCI compute instances.

Ensure that IMDSv2 is enforced for all Oracle Cloud Infrastructure (OCI) compute instances.

Ensure that IAM group changes are being monitored using Oracle Cloud Infrastructure (OCI) Events.

Ensure that IAM policy configuration changes are being monitored using Oracle Cloud Infrastructure (OCI) Events.

Ensure that IAM user changes are being monitored using Oracle Cloud Infrastructure (OCI) Events.

Ensure that Identity Provider changes are being monitored using Oracle Cloud Infrastructure (OCI) Events.

Ensure that Identity Provider changes are being monitored using Oracle Cloud Infrastructure (OCI) Events.

Ensure that OCI local user authentication is being monitored using Oracle Cloud Infrastructure (OCI) Events.

Ensure that network gateway configuration changes are being monitored using Oracle Cloud Infrastructure (OCI) Events.

Ensure that network security group configuration changes are being monitored using Oracle Cloud Infrastructure (OCI) Events.

Ensure that changes to Cloud Guard issues are being monitored using Oracle Cloud Infrastructure (OCI) Events.

Ensure that route table configuration changes are being monitored using Oracle Cloud Infrastructure (OCI) Events.

Ensure that security list configuration changes are being monitored using Oracle Cloud Infrastructure (OCI) Events.

Ensure that VCN changes are being monitored using Oracle Cloud Infrastructure (OCI) Events.

Ensure that OCI Lustre file systems have cost allocation tags for accurate cost allocation and budget tracking.

Ensure that OCI File Storage file systems should be placed in same availability domain as compute resources.

Ensure that OCI file system clones are fully hydrated for production use.

Ensure that OCI File Storage systems have cost allocation tags for accurate cost allocation and budget tracking.

Ensure that clone parent file systems without attached child clones are removed.

Ensure that snapshot policies are configured for your OCI File Storage file systems.

Ensure that active replication is enabled for your OCI File Storage systems.

Ensure that OCI File Storage quota enforcement is enabled for cost control.

Use Customer-Managed Keys (CMKs) to encrypt your OCI File Storage systems.

Use Customer-Managed Keys (CMKs) to encrypt your OCI Lustre file systems.

Ensure that your Lustre file systems are using Network Security Groups (NSGs) for traffic control.

Ensure that resource locking is enabled for your production OCI File Storage systems.

Ensure that API keys are not created for tenancy administrator users.

Ensure that permissions on all OCI resources are given only to the "Administrators" group.

Ensure there are no cloud resources within the OCI root compartment.

Ensure there is at least one non-root compartment in your OCI tenancy to store cloud resources.

Ensure that the Multi-Factor Authentication (MFA) feature is enabled for all users with a console password.

Ensure that IAM password policy requires minimum 14 characters for passwords.

Ensure that IAM password policy enforces password expiration within 365 days or less.

Ensure that service administrators cannot update the tenancy "Administrators" group.

Ensure that customer secret keys are rotated on a periodic basis to follow security best practices.

Ensure that IAM database passwords are rotated on a periodic basis to follow security best practices.

Ensure that IAM user API keys are rotated on a periodic basis to follow security best practices.

Ensure that IAM user auth tokens are rotated on a periodic basis to follow security best practices.

Ensure there is a maximum of one active API key pair available for any single OCI IAM user.

Ensure that unused OCI IAM local users are disabled to follow cloud security best practices.

Ensure that your Oracle Cloud Infrastructure (OCI) resources are using default tags.

Ensure that OCI KMS Vaults have cost allocation tags for accurate cost allocation and budget tracking.

Ensure that OCI KMS Vaults have environment tags for proper resource management and access control.

Ensure that OCI KMS Vaults use SOFTWARE-protected keys for cost optimization when HSM security is not required.

Ensure that your OCI KMS Customer-Managed Keys (CMKs) are regularly rotated.

Identify excessive unused Customer-Managed Keys (CMKs) and delete them to help lower the cost of your monthly OCI bill.

Ensure that your OCI KMS Vaults reside on an isolated partition within a Hardware Security Module (HSM).

Ensure that no network security groups allow unrestricted ingress access on TCP port 3389 (RDP).

Ensure that no security listS allow unrestricted ingress access on TCP port 3389 (RDP).

Ensure that no network security groups allow unrestricted ingress access on TCP port 22 (SSH).

Ensure that no security lists allow unrestricted ingress access on TCP port 22 (SSH).

Ensure that flow logs are enabled for Virtual Cloud Networks (VCN) subnets.

Ensure that the default security lists restrict all traffic except ICMP.

Ensure that the Kubelet configuration file ownership is set to "root:root".

Ensure that the kubelet configuration file has permissions set to 644.

Ensure that the "streamingConnectionIdleTimeout" parameter is not set to 0 (zero).

Ensure that the kubelet-config.json file ownership is set to "root:root".

Ensure that the kubelet-config.json file has permissions set to 644.

Ensure that anonymous requests to the Kubelet server are disabled.

Ensure that the Kubelet read-only port is disabled.

Ensure that public access to the Kubernetes API is disabled (allow access via private endpoints only).

Ensure that Kubelet authentication using SSL/TLS certificates is enabled.

Ensure that Kubernetes is configured to capture security-relevant events without restriction.

Ensure that the Kubelet server authorization mode is not set to "AlwaysAllow".

Ensure that Kubelet servers are configured to serve only HTTPS traffic.

Ensure that Kubelet client certificates are automatically rotated by setting the "rotateCertificates" parameter to true.

Ensure that Kubelet server certificates are automatically rotated.

Ensure that Kubelet is allowed to manage iptables.

Ensure that notification topics and subscriptions are configured to send monitoring alerts.

Ensure that Object Storage buckets are not configured to allow public access.

Ensure that object versioning is enabled for OCI Object Storage buckets.

Ensure that write logs are enabled for OCI Object Storage buckets.

Use Customer-Managed Keys (CMKs) to encrypt your OCI Object Storage bucket data.