Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Enable Cloud Guard for Root Compartment

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that the Cloud Guard service is enabled in the root compartment of your Oracle Cloud Infrastructure (OCI) tenancy. Oracle Cloud Guard is a cloud-native security service in OCI that helps you monitor, identify, and remediate security vulnerabilities in your OCI environment.

Security

Enabling Cloud Guard in the root compartment of your tenancy ensures comprehensive security posture monitoring and threat detection across your entire Oracle Cloud Infrastructure (OCI) tenancy. This allows for centralized visibility and control over security risks.

Audit

To determine if Cloud Guard is enabled for your Oracle Cloud Infrastructure (OCI) root compartment, perform the following operations:

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to https://cloud.oracle.com/cloud-guard/ to access the Cloud Guard Overview dashboard created for your OCI tenancy. If the Cloud Guard Overview dashboard is not available, instead a Get Started page is displayed, the Cloud Guard service is not enabled for your OCI tenancy. If the Overview dashboard is available, choose Configuration from the left navigation panel, select Targets, and check for the root compartment. If the root compartment is not listed in the Target section, the Cloud Guard service is not enabled for your OCI root compartment.

Using OCI CLI

01 Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the identifier (OCID) of the root compartment created for your Oracle Cloud Infrastructure (OCI) tenancy: 

oci iam compartment list
	--query 'data[]."compartment-id"'

02 The command output should return the root OCI compartment (OCID): 

[
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

03 Run cloud-guard configuration get command (Windows/macOS/Linux) to describe the operational status of the Cloud Guard service in the root compartment of your Oracle Cloud Infrastructure (OCI) tenancy: 

oci cloud-guard configuration get
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data.status'

04 The command output should return the Cloud Guard operational status: 

"DISABLED"

If the cloud-guard configuration get command output returns "DISABLED", as shown in the output example above, the Cloud Guard service is not enabled for your OCI root compartment.

Remediation / Resolution

To enable the Cloud Guard service for the root compartment of your Oracle Cloud Infrastructure (OCI) tenancy, perform the following operations:

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Cloud Guard service console available at https://cloud.oracle.com/cloud-guard/ and choose Enable Cloud Guard to initiate the setup process.

03 For Cloud Guard policy, review the Cloud Guard access policy provided by Oracle Cloud Infrastructure (OCI), and choose Create policy.

04 For Basic information, perform the following actions:

  1. Select the desired reporting region from the Reporting Region dropdown list.
  2. For Compartments to monitor, choose Select compartments, and select the root compartment of your tenancy.
  3. For Configuration detector recipe, select the OCI Configuration Detector Recipe (Oracle Managed) recipe.
  4. For Activity detector recipe, select the OCI Activity Detector Recipe (Oracle Managed) recipe.
  5. For Threat detector recipe, select the OCI Threat Detector Recipe (Oracle Managed) recipe.
  6. Choose Enable to enable the Cloud Guard service for the root compartment of your OCI tenancy.

Using OCI CLI

01 Run iam policy create command (Windows/macOS/Linux) to create the access policy required to enable and run the Cloud Guard service in the specified OCI compartment: 

oci iam policy create
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--name 'CloudGuardPolicies'
	--description 'Cloud Guard Access Policy'
	--statements '[
		"allow service cloudguard to read vaults in tenancy",
		"allow service cloudguard to read keys in tenancy",
		"allow service cloudguard to read compartments in tenancy",
		"allow service cloudguard to read tenancies in tenancy",
		"allow service cloudguard to read audit-events in tenancy",
		"allow service cloudguard to read compute-management-family in tenancy",
		"allow service cloudguard to read instance-family in tenancy",
		"allow service cloudguard to read virtual-network-family in tenancy",
		"allow service cloudguard to read volume-family in tenancy",
		"allow service cloudguard to read database-family in tenancy",
		"allow service cloudguard to read object-family in tenancy",
		"allow service cloudguard to read load-balancers in tenancy",
		"allow service cloudguard to read users in tenancy",
		"allow service cloudguard to read groups in tenancy",
		"allow service cloudguard to read policies in tenancy",
		"allow service cloudguard to read dynamic-groups in tenancy",
		"allow service cloudguard to read authentication-policies in tenancy"
	]'

02 The command output should return the versioning feature current status (i.e., "Enabled"): 

{
	"data": {
		"compartment-id": "ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"description": "Cloud Guard Access Policy",
		"freeform-tags": {},
		"id": "ocid1.policy.oc1..aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234",
		"inactive-status": null,
		"lifecycle-state": "ACTIVE",
		"name": "CloudGuardPolicies",
		"statements": [
			"allow service cloudguard to read vaults in tenancy",
			"allow service cloudguard to read keys in tenancy",
			"allow service cloudguard to read compartments in tenancy",
			"allow service cloudguard to read tenancies in tenancy",
			"allow service cloudguard to read audit-events in tenancy",
			"allow service cloudguard to read compute-management-family in tenancy",
			"allow service cloudguard to read instance-family in tenancy",
			"allow service cloudguard to read virtual-network-family in tenancy",
			"allow service cloudguard to read volume-family in tenancy",
			"allow service cloudguard to read database-family in tenancy",
			"allow service cloudguard to read object-family in tenancy",
			"allow service cloudguard to read load-balancers in tenancy",
			"allow service cloudguard to read users in tenancy",
			"allow service cloudguard to read groups in tenancy",
			"allow service cloudguard to read policies in tenancy",
			"allow service cloudguard to read dynamic-groups in tenancy",
			"allow service cloudguard to read authentication-policies in tenancy"
		],
		"time-created": "2025-03-05T19:14:00.278000+00:00",
		"version-date": null
	},
	"etag": "abcd1234abcd1234abcd1234abcd1234abcd1234"
}

03 Run cloud-guard configuration update command (Windows/macOS/Linux) to enable the Cloud Guard service for the root compartment of your Oracle Cloud Infrastructure (OCI) tenancy. Use the --compartment-id parameter to specify your root compartment: 

oci cloud-guard configuration update
	--reporting-region 'ap-sydney-1'
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--status 'ENABLED'
	--query 'data.status'

04 The command output should return the current Cloud Guard operational status: 

"ENABLED"

References

Publication date Mar 10, 2025

Related CloudGuard rules