Check for Environment Tags

Risk Level: Low (generally tolerable level of risk)

Rule ID: OCI-KMS-002

Ensure that resource tags are used to organize Oracle Cloud Infrastructure (OCI) KMS Vaults, helping to distinguish between different environment stages (e.g., Development, Staging, and Production). In OCI, resource tags are simple key-value pairs that can be assigned to cloud resources to simplify organization, management, and tracking. TrendAI Vision One™ Cloud Risk Management recommends defining environment identification tags using the following tag keys: "Environment", "Env", or "Stage".

Operational
excellence

As your Oracle Cloud Infrastructure (OCI) environment becomes increasingly complex, it requires more effective management strategies. Using resource tags for environment identification on OCI KMS Vaults is important because it enables clear organization and isolation (e.g., separating Development, Staging, and Production), simplifies cost allocation and reporting, streamlines automation for environment-specific operations, and ensures proper access control and governance over sensitive encryption keys.

Audit

To determine if your OCI KMS Vaults are using environment identification tags, perform the following operations:

Using OCI Console

Sign in to your Oracle Cloud Infrastructure (OCI) account.
Navigate to Key Management & Secret Management console available at https://cloud.oracle.com/security/kms/.
In the left navigation panel, choose Vault, and select an OCI compartment from the Compartment dropdown menu next to Applied filters, to list the OCI KMS Vaults available within that compartment.
Click on the name (link) of the active KMS Vault that you want to examine, listed in the Name column. Being an active Vault means its State is set to Active.
Select the Tags tab to access the resource tags defined for the selected KMS Vault.
In the Tags section, identify the Tag key column, and search for the following tag keys: Environment, Env, and Stage. If the Tag key column does not contain any of the specified tag keys, the selected Oracle Cloud Infrastructure (OCI) KMS Vault is not using environment identification tags.

Using OCI CLI

Run iam compartment list command (Windows/macOS/Linux) with custom output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:
```
oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'
```

The command output should return the requested OCI compartment identifiers (OCIDs):

[
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

Run kms management vault list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, the list the ID of each active KMS Vault provisioned in the selected OCI compartment:
```
oci kms management vault list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query "data[?\"lifecycle-state\"=='ACTIVE'].id"
```

The command output should return the requested Vault IDs:

[
	"ocid1.vault.oc1.ap-sydney-1.1234abcd1234a.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.vault.oc1.ap-sydney-1.abcd1234abcda.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

Run kms management vault get command (Windows/macOS/Linux) to describe the resource tags (defined tags and free-form tags) defined for the specified OCI KMS Vault:

oci kms management vault get
	--vault-id 'ocid1.vault.oc1.ap-sydney-1.1234abcd1234a.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data.["defined-tags","freeform-tags"]'

The command output should return the resource tags used by the selected KMS Vault:
```
[
	{
		"ProjectName": "Project5"
	},
	{
		"Oracle-Tags": {
		"CreatedBy": "Sydney Dev Team"
		}
	}
]
```
Resource tags are simple key-value pairs. Check each tag key returned by the kms management vault get command output (e.g., "ProjectName") for the following names: Environment, Env, and Stage. If the command output does not return any of the specified tag keys, the selected Oracle Cloud Infrastructure (OCI) KMS Vault is not using environment identification tags.

Remediation / Resolution

To implement environment identification tags for your Oracle Cloud Infrastructure (OCI) KMS Vaults, perform the following operations:

Using OCI Console

Sign in to your Oracle Cloud Infrastructure (OCI) account.
Navigate to Key Management & Secret Management console available at https://cloud.oracle.com/security/kms/.
In the left navigation panel, choose Vault, and select an OCI compartment from the Compartment dropdown menu next to Applied filters, to list the OCI KMS Vaults available within that compartment.
Click on the name (link) of the active KMS Vault that you want to examine, listed in the Name column. Being an active Vault means its State is set to Active.
Select the Tags tab to access the resource tags defined for the selected KMS Vault.
In the Tags section, choose Add, and perform the following actions to create the recommended environment tags for the selected OCI KMS Vault:
1. For Namespace, select a tag namespace from the dropdown list to add a defined tag or select None to add a free-form tag. A defined tag is a structured key-value metadata with enforced policies and namespace. A free-form tag is a simple key-value metadata with no structure or namespace enforcement.
2. For Key, choose an environment tag key (Environment, Env, or Stage) that's associated with the selected tag namespace if you are adding a defined tag, or type Environment, Env, or Stage in the tag key box if you're adding a free-form tag.
3. For Value, enter the tag value that can be used to distinguish between different environment stages (e.g., Development, Staging, Production).
4. Choose Add tags to apply the environment identification tags to your OCI resource.

Using OCI CLI

Run kms management vault update command (Windows/macOS/Linux) to add environment identification tags (free-form tags) to the specified Oracle Cloud Infrastructure (OCI) KMS Vault. A free-form tag is a simple key-value metadata with no structure or namespace enforcement. Make sure that you include any existing free-form tags to the --freeform-tags parameter value:
```
oci kms management vault update
	--vault-id 'ocid1.vault.oc1.ap-sydney-1.1234abcd1234a.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--freeform-tags '{"Environment":"Production","ProjectName":"Project5"}'
```

Type Y and press Enter for confirmation:

WARNING: Updates to defined-tags and freeform-tags will replace any existing values. Are you sure you want to continue? [y/N]: Y

The command output should return the configuration information (including tags) available for the modified KMS Vault:

{
	"data": {
		"compartment-id": "ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"crypto-endpoint": "https://1234abcd1234abcd-crypto.kms.ap-sydney-1.oraclecloud.com",
		"display-name": "cc-project5-vault",
		"external-key-manager-metadata-summary": null,
		"freeform-tags": {
			"Environment": "Production",
			"ProjectName": "Project5"
		},
		"id": "ocid1.vault.oc1.ap-sydney-1.1234abcd1234a.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"is-primary": true,
		"is-vault-replicable": null,
		"lifecycle-state": "ACTIVE",
		"management-endpoint": "https://1234abcd1234abcd-management.kms.ap-sydney-1.oraclecloud.com",
		"replica-details": null,
		"restored-from-vault-id": null,
		"time-created": "2025-10-27T11:49:33.807000+00:00",
		"time-of-deletion": null,
		"vault-type": "DEFAULT",
		"wrappingkey-id": "ocid1.key.oc1.ap-sydney-1.1234abcd1234abcd.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd"
	}
}

Run kms management vault update command (Windows/macOS/Linux) to add environment tags (defined tags) to the specified OCI KMS Vault. A defined tag is a structured key-value metadata with enforced policies and namespace. Make sure that you include any existing defined tags to the --defined-tags parameter value:
```
oci kms management vault update
	--vault-id 'ocid1.vault.oc1.ap-sydney-1.1234abcd1234a.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--defined-tags '{"Env":{"Environment":"Production"}}'
```

Type Y and press Enter for confirmation:

WARNING: Updates to defined-tags and freeform-tags will replace any existing values. Are you sure you want to continue? [y/N]: Y

The command output should return the configuration information (including tags) available for the modified KMS Vault:

{
	"data": {
		"compartment-id": "ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"crypto-endpoint": "https://1234abcd1234abcd-crypto.kms.ap-sydney-1.oraclecloud.com",
		"defined-tags": {
			"Env": {
				"Environment": "Production"
			}
		},
		"display-name": "cc-project5-vault",
		"external-key-manager-metadata-summary": null,
		"freeform-tags": {},
		"id": "ocid1.vault.oc1.ap-sydney-1.1234abcd1234a.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"is-primary": true,
		"is-vault-replicable": null,
		"lifecycle-state": "ACTIVE",
		"management-endpoint": "https://1234abcd1234abcd-management.kms.ap-sydney-1.oraclecloud.com",
		"replica-details": null,
		"restored-from-vault-id": null,
		"time-created": "2025-10-27T11:49:33.807000+00:00",
		"time-of-deletion": null,
		"vault-type": "DEFAULT",
		"wrappingkey-id": "ocid1.key.oc1.ap-sydney-1.1234abcd1234abcd.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd"
	}
}

References

Oracle Cloud Infrastructure Documentation
Resource Tags
Overview of Tagging
Overview of Vaults, Key Management, and Secret Management
Getting a Vault's Details

Oracle Cloud Infrastructure CLI Documentation
compartment list
vault list
vault get
vault update

Publication date Nov 12, 2025

Audit

Using OCI Console

Using OCI CLI

Remediation / Resolution

Using OCI Console

Using OCI CLI

References

Related OCI-KMS rules