Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Approved Instance Shape Compliance

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: OCI-Compute-011

Determine if your Oracle Cloud Infrastructure (OCI) compute instances have the desired shape (size) established by your organization based on the workload deployed. The desired compute instance shape(s) must be defined in the conformity rule settings, in the Trend Cloud One™ – Conformity account.

Security

Limiting the shape (size) of compute instances for your Oracle Cloud Infrastructure (OCI) compute instances can help you to better manage your cloud compute power, address internal compliance requirements, and prevent unexpected charges on your OCI bill.

Audit

To determine if your OCI compute instances have the desired shape(s), perform the following operations:

Using OCI Console

01 Sign in to your Trend Cloud One™ – Conformity account, access Approved Instance Shape Compliance rule settings, and identify the compute instance shape(s) approved by your organization.

02 Sign in to your Oracle Cloud Infrastructure (OCI) account.

03 Navigate to Compute console available at https://cloud.oracle.com/compute/.

04 Choose the OCI compartment that you want to access from the Compartment dropdown list.

05 In the left navigation panel, under Overview, choose Instances to list the compute instances provisioned in the selected OCI compartment.

06 Click on the name (link) of the compute instance that you want to examine, listed in the Name column.

07 Select the Details tab and check the shape of the compute instance, listed as value for the Shape attribute, in the Shape configuration section. If the instance shape is different than the one(s) allowed by your organization and identified in step no. 1, the selected Oracle Cloud Infrastructure (OCI) compute instance was not launched using the approved, compliant shape.

Using OCI CLI

01 Sign in to your Trend Cloud One™ – Conformity account, access Approved Instance Shape Compliance rule settings, and identify the compute instance shape(s) approved by your organization.

02 Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account: 

oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

03 The command output should return the requested OCI compartment identifiers (OCIDs): 

[
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

04 Run compute instance list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, to list the ID of each compute instance available in the selected OCI compartment: 

oci compute instance list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--region 'ap-sydney-1'
	--all
	--query 'data[]."id"'

05 The command output should return the requested compute instance IDs: 

[
	"ocid1.instance.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.instance.oc1.ap-sydney-1.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234"
]

06 Run compute instance get command (Windows/macOS/Linux) with the ID of the OCI compute instance that you want to examine as the identifier parameter and custom output filters to describe the shape (size) of the selected compute instance: 

oci compute instance get
	--instance-id 'ocid1.instance.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data."shape"'

07 The command output should return the shape of the specified compute instance: 

"VM.Standard.E4.Flex"

Compare the instance shape returned by the compute instance get command output with the one(s) allowed by your organization, identified in step no. 1. If the instance shape is not listed in the conformity rule configuration settings, the selected Oracle Cloud Infrastructure (OCI) compute instance was not launched using the approved, compliant shape.

Remediation / Resolution

To resize your Oracle Cloud Infrastructure (OCI) compute instances to the instance shape(s) established by your organization, perform the following operations:

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Compute console available at https://cloud.oracle.com/compute/.

03 Choose the OCI compartment that you want to access from the Compartment dropdown list.

04 In the left navigation panel, under Overview, choose Instances to list the compute instances provisioned in the selected OCI compartment.

05 Click on the name (link) of the compute instance that you want to resize.

06 Choose Actions from the top menu, select More actions, and choose Edit to change the instance shape (size) settings.

07 In the Shape summary section, perform the following actions:

  1. For Shape series, select the shape series approved by your organization.
  2. Choose the shape approved by your organization from the compute instance shapes list. Click on the Expand button (i.e., right arrow icon) available next to the shape name to open the configuration panel. Ensure that the instance shape configuration aligns with the allowed configuration for your organization, as defined in the conformity rule settings.

08 Choose Save changes to apply the configuration changes.

09 On the Confirm instance reboot panel, choose Reboot instance to confirm the compute instance reboot.

Using OCI CLI

01 Run compute instance update command (Windows/macOS/Linux) with the ID of the OCI compute instance that you want to configure as the identifier parameter, to resize the selected compute instance to the instance shape approved by your organization (e.g., VM.Standard.E5.Flex). Use the --shape-config parameter to ensure that the instance shape configuration aligns with the one allowed by your organization: 

oci compute instance update
	--instance-id 'ocid1.instance.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--shape 'VM.Standard.E5.Flex'
	--shape-config '{"ocpus":1.0, "memory-in-gbs": 12.0}'

02 The command output should return the configuration information available for the modified compute instance: 

{
	"agent-config": {
		"are-all-plugins-disabled": false,
		"is-management-disabled": false,
		"is-monitoring-disabled": false,
		"plugins-config": null
	},
	"availability-config": {
		"is-live-migration-preferred": null,
		"recovery-action": "RESTORE_INSTANCE"
	},
	"availability-domain": "ABCD:AP-SYDNEY-1-AD-1",
	"capacity-reservation-id": null,
	"cluster-placement-group-id": null,
	"compartment-id": "ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"dedicated-vm-host-id": null,
	"display-name": "cc-new-project5-instance",
	"extended-metadata": {},
	"fault-domain": "FAULT-DOMAIN-3",
	"freeform-tags": {},
	"id": "ocid1.instance.oc1.ap-sydney-1.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234",
	"image-id": "ocid1.image.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"instance-configuration-id": null,
	"instance-options": {
		"are-legacy-imds-endpoints-disabled": true
	},
	"ipxe-script": null,
	"is-ai-enterprise-enabled": null,
	"is-cross-numa-node": false,
	"launch-mode": "PARAVIRTUALIZED",
	"launch-options": {
		"boot-volume-type": "PARAVIRTUALIZED",
		"firmware": "UEFI_64",
		"is-consistent-volume-naming-enabled": true,
		"is-pv-encryption-in-transit-enabled": false,
		"network-type": "PARAVIRTUALIZED",
		"remote-data-volume-type": "PARAVIRTUALIZED"
	},
	"licensing-configs": null,
	"lifecycle-state": "PROVISIONING",
	"metadata": {},
	"placement-constraint-details": null,
	"platform-config": {
		"is-measured-boot-enabled": false,
		"is-memory-encryption-enabled": true,
		"is-secure-boot-enabled": false,
		"is-symmetric-multi-threading-enabled": true,
		"is-trusted-platform-module-enabled": false,
		"type": "AMD_VM"
	},
	"preemptible-instance-config": null,
	"region": "ap-sydney-1",
	"security-attributes": {},
	"security-attributes-state": "STABLE",
	"shape": "VM.Standard.E4.Flex",
	"shape-config": {
		"baseline-ocpu-utilization": null,
		"gpu-description": null,
		"gpus": 0,
		"local-disk-description": null,
		"local-disks": 0,
		"local-disks-total-size-in-gbs": null,
		"max-vnic-attachments": 2,
		"memory-in-gbs": 12.0,
		"networking-bandwidth-in-gbps": 1.0,
		"ocpus": 1.0,
		"processor-description": "2.55 GHz AMD EPYC™ 7J13 (Milan)",
		"vcpus": 2
	},
	"source-details": {
		"boot-volume-size-in-gbs": null,
		"boot-volume-vpus-per-gb": null,
		"image-id": "ocid1.image.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"instance-source-image-filter-details": null,
		"kms-key-id": null,
		"source-type": "image"
	},
	"system-tags": {},
	"time-created": "2025-10-14T20:37:29.527000+00:00",
	"time-maintenance-reboot-due": null
}

References

Publication date Dec 8, 2025

Related OCI-Compute rules