Enable Cloud Guard

Risk Level: Medium (should be achieved)

Rule ID: OCI-CloudGuard-001

To proactively detect and automatically remediate security misconfigurations, insecure activities, and threats, ensure that the Cloud Guard service is enabled for all your OCI compartments. Cloud Guard is a cloud-native security service in Oracle Cloud that helps you monitor, identify, and remediate security vulnerabilities in your Oracle Cloud Infrastructure (OCI) account.

Security

Enabling Cloud Guard in your OCI compartments ensures comprehensive security posture monitoring and threat detection across your entire Oracle Cloud Infrastructure (OCI) environment. This allows for centralized visibility and control over security risks.

Audit

To determine if Cloud Guard is enabled for all your Oracle Cloud Infrastructure (OCI) compartments, perform the following operations:

Using OCI Console

Sign in to your Oracle Cloud Infrastructure (OCI) account.
Navigate to https://cloud.oracle.com/cloud-guard/ to access the Cloud Guard Overview dashboard created for your OCI tenancy. If the Cloud Guard Overview dashboard is not available, instead a Get Started page is displayed, the Cloud Guard service is not enabled for your OCI tenancy. If the Overview dashboard is available, choose Configuration from the left navigation panel, select Targets, and use the Compartment dropdown menu under Scope to ensure that your OCI compartments are monitored by Cloud Guard. If one or more compartment are not configured to be monitored by Cloud Guard, the security service is not enabled for all your Oracle Cloud Infrastructure (OCI) compartments.

Using OCI CLI

Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:
```
oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'
```

The command output should return the requested OCI compartment identifiers (OCIDs):

[
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

Run cloud-guard configuration get command (Windows/macOS/Linux) to describe the operational status of the Cloud Guard service in the selected Oracle Cloud Infrastructure (OCI) compartment:
```
oci cloud-guard configuration get
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data.status'
```
The command output should return the Cloud Guard operational status:
```
"DISABLED"
```
If the cloud-guard configuration get command output returns "DISABLED", as shown in the output example above, the Cloud Guard service is not enabled for the selected Oracle Cloud Infrastructure (OCI) compartment.
Repeat steps no. 3 and 4 for each OCI compartment available in your Oracle Cloud Infrastructure (OCI) account.

Remediation / Resolution

To ensure that the Cloud Guard service is enabled for all your Oracle Cloud Infrastructure (OCI) compartments, perform the following operations:

Using OCI Console

Sign in to your Oracle Cloud Infrastructure (OCI) account.
Navigate to Cloud Guard service console available at https://cloud.oracle.com/cloud-guard/ and choose Enable Cloud Guard to initiate the setup process.
For Cloud Guard policy, review the Cloud Guard access policy provided by Oracle Cloud Infrastructure (OCI), and choose Create policy.
For Basic information, perform the following actions:
1. Select the desired reporting region from the Reporting Region dropdown list.
2. For Compartments to monitor, choose Select compartments, and select the OCI compartment that you want to monitor. You can select the top-level compartment to include all OCI compartments.
3. For Configuration detector recipe, select the OCI Configuration Detector Recipe (Oracle Managed) recipe.
4. For Activity detector recipe, select the OCI Activity Detector Recipe (Oracle Managed) recipe.
5. For Threat detector recipe, select the OCI Threat Detector Recipe (Oracle Managed) recipe.
6. Choose Enable to enable the Cloud Guard service for your Oracle Cloud Infrastructure (OCI) environment.

Using OCI CLI

Run iam policy create command (Windows/macOS/Linux) to create the access policy required to enable and run the Cloud Guard service in the OCI compartment specified by the --compartment-id parameter:

oci iam policy create
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--name 'CloudGuardPolicies'
	--description 'Cloud Guard Access Policy'
	--statements '[
		"allow service cloudguard to read vaults in tenancy",
		"allow service cloudguard to read keys in tenancy",
		"allow service cloudguard to read compartments in tenancy",
		"allow service cloudguard to read tenancies in tenancy",
		"allow service cloudguard to read audit-events in tenancy",
		"allow service cloudguard to read compute-management-family in tenancy",
		"allow service cloudguard to read instance-family in tenancy",
		"allow service cloudguard to read virtual-network-family in tenancy",
		"allow service cloudguard to read volume-family in tenancy",
		"allow service cloudguard to read database-family in tenancy",
		"allow service cloudguard to read object-family in tenancy",
		"allow service cloudguard to read load-balancers in tenancy",
		"allow service cloudguard to read users in tenancy",
		"allow service cloudguard to read groups in tenancy",
		"allow service cloudguard to read policies in tenancy",
		"allow service cloudguard to read dynamic-groups in tenancy",
		"allow service cloudguard to read authentication-policies in tenancy"
	]'

The command output should return the versioning feature current status (i.e., "Enabled"):

{
	"data": {
		"compartment-id": "ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"description": "Cloud Guard Access Policy",
		"freeform-tags": {},
		"id": "ocid1.policy.oc1..aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234",
		"inactive-status": null,
		"lifecycle-state": "ACTIVE",
		"name": "CloudGuardPolicies",
		"statements": [
		"allow service cloudguard to read vaults in tenancy",
		"allow service cloudguard to read keys in tenancy",
		"allow service cloudguard to read compartments in tenancy",
		"allow service cloudguard to read tenancies in tenancy",
		"allow service cloudguard to read audit-events in tenancy",
		"allow service cloudguard to read compute-management-family in tenancy",
		"allow service cloudguard to read instance-family in tenancy",
		"allow service cloudguard to read virtual-network-family in tenancy",
		"allow service cloudguard to read volume-family in tenancy",
		"allow service cloudguard to read database-family in tenancy",
		"allow service cloudguard to read object-family in tenancy",
		"allow service cloudguard to read load-balancers in tenancy",
		"allow service cloudguard to read users in tenancy",
		"allow service cloudguard to read groups in tenancy",
		"allow service cloudguard to read policies in tenancy",
		"allow service cloudguard to read dynamic-groups in tenancy",
		"allow service cloudguard to read authentication-policies in tenancy"
		],
		"time-created": "2025-03-05T19:14:00.278000+00:00",
		"version-date": null
	},
	"etag": "abcd1234abcd1234abcd1234abcd1234abcd1234"
}

Run cloud-guard configuration update command (Windows/macOS/Linux) to enable the Cloud Guard service for the selected Oracle Cloud Infrastructure (OCI) compartment. To include all OCI compartments, you can use the --compartment-id parameter to specify your top-level compartment:
```
oci cloud-guard configuration update
	--reporting-region 'ap-sydney-1'
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--status 'ENABLED'
	--query 'data.status'
```
The command output should return the current Cloud Guard operational status:
```
"ENABLED"
```

References

Oracle Cloud Infrastructure Documentation
Cloud Guard
Getting Started with Cloud Guard
Cloud Guard Concepts
Enabling Cloud Guard in your Tenancy
Regions and Availability Domains
Cloud Guard FAQ

Oracle Cloud Infrastructure CLI Documentation
list
get
update

Publication date Mar 10, 2025

Audit

Using OCI Console

Using OCI CLI

Remediation / Resolution

Using OCI Console

Using OCI CLI

References

Related OCI-CloudGuard rules