Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Use Resource Locking for File Systems

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: OCI-FileStorage-002

Ensure that resource locking is enabled for production or mission critical Oracle Cloud Infrastructure (OCI) File Storage systems so that non-admin users are not able to delete or modify your file systems in order to help prevent accidental and malicious changes or resource deletion.

Security

In Oracle Cloud Infrastructure (OCI), resource locking enables you to restrict operations on production file systems where modifying or deleting a resource would have a significant negative impact on the entire ecosystem. As an OCI account administrator, it may be necessary to lock an important cloud resource in order to prevent other users within your organization from mistakenly deleting or modifying the resource. A resource lock can have one of the following types:

Audit

To determine if your production OCI File Storage systems have resource locking configured, perform the following operations:

Using OCI Console

  1. Sign in to your Oracle Cloud Infrastructure (OCI) account.

  2. Navigate to File Storage console available at https://cloud.oracle.com/fss/.

  3. In the left navigation panel, choose File Systems, and select an OCI compartment from the Compartment dropdown menu, to list the file systems provisioned in that compartment.

  4. Click on the name (link) of the file system that you want to examine, listed in the Name column.

  5. Select the File System information tab, and check the Lock Type 1 and Lock Type 2 attributes value, listed in the Resource Locking section. If both Lock Type 1 and Lock Type 2 attributes are missing values, resource locking is not enabled for the selected Oracle Cloud Infrastructure (OCI) File Storage system.

Using OCI CLI

  1. Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:

    oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

  2. The command output should return the requested OCI compartment identifiers (OCIDs):

    [
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  3. Run fs file-system list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, the list the ID of each File Storage system provisioned in the selected OCI compartment:

    oci fs file-system list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--availability-domain 'ABC1:AB-ABC123-1-BC-1'
	--all
	--query 'data[]."id"'

  4. The command output should return the requested file system IDs:

    [
	"ocid1.filesystem.oc1.ap_sydney_1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.filesystem.oc1.ap_sydney_1.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234"
]

  5. Run fs file-system get command (Windows/macOS/Linux) with the name of the File Storage system that you want to examine as the identifier parameter and custom output filters to determine if resource locking is enabled for the selected file system:

    oci fs file-system get
	--file-system-id 'ocid1.filesystem.oc1.ap_sydney_1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data."locks"'

  6. The command output should return the resource locking configuration for the selected file system:

    []

    If the fs file-system get command output returns an empty array, i.e., [], as shown in the example above, resource locking is not enabled for the selected Oracle Cloud Infrastructure (OCI) File Storage system.

Remediation / Resolution

Locks help protect resources against tampering and accidental deletion. To enable resource locking for your production or mission critical Oracle Cloud Infrastructure (OCI) File Storage systems, perform the following operations:

Using OCI Console

  1. Sign in to your Oracle Cloud Infrastructure (OCI) account.

  2. Navigate to File Storage console available at https://cloud.oracle.com/fss/.

  3. In the left navigation panel, choose File Systems, and select an OCI compartment from the Compartment dropdown menu, to list the file systems provisioned in that compartment.

  4. Click on the name (link) of the file system that you want to configure, listed in the Name column.

  5. Select the File System information tab, choose Add next to Resource Locking, and perform the following actions to configure resource locking for the selected OCI File Storage system:

    1. Select the appropriate type (level) of lock restriction from the Resource Lock options menu. Select Delete to prevent only the deletion of the locked resource or Full to prevent the update, move, and deletion of the locked resource.
    2. Choose Save changes to apply the configuration changes to your OCI File Storage system.

Using OCI CLI

  1. Run fs file-system update command (Windows/macOS/Linux) with the name of the File Storage system that you want to configure as the identifier parameter, to enable resource locking for the selected file system. To prevent only the deletion of the locked resource, use --type DELETE. To prevent the update, move, and deletion of the locked resource, use --type FULL:

    oci fs file-system add
		--file-system-id 'ocid1.filesystem.oc1.ap_sydney_1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
		--type DELETE
		--message 'Resource delete prohibited in production'

  2. The command output should return the configuration information available for the modified file system:

    {
	"data": {
		"are-quota-rules-enabled": false,
		"availability-domain": "ABCD:AP-SYDNEY-1-AD-1",
		"clone-attach-status": "DETACHED",
		"clone-count": 0,
		"compartment-id": "ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"defined-tags": {},
		"display-name": "cc-project5-file-system",
		"filesystem-snapshot-policy-id": null,
		"freeform-tags": {},
		"id": "ocid1.filesystem.oc1.ap_sydney_1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"is-clone-parent": false,
		"is-hydrated": true,
		"is-targetable": false,
		"kms-key-id": null,
		"lifecycle-details": null,
		"lifecycle-state": "ACTIVE",
		"locks": [
			{
				"message": "Resource delete prohibited in production",
				"related-resource-id": null,
				"time-created": "2025-10-16T04:42:06.652000+00:00",
				"type": "DELETE"
			}
		],
		"metered-bytes": 0,
		"quota-enforcement-state": "DISABLED",
		"replication-source-count": 0,
		"replication-target-id": null,
		"source-details": null,
		"system-tags": null,
		"time-created": "2025-10-16T03:45:20.573000+00:00"
	},
	"etag": "abcd1234abcd1234abcd1234abcd1234"
}

References

Publication date Nov 11, 2025

Related OCI-FileStorage rules