Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Check for OCI Notification Topics and Subscriptions

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: OCI-ONS-001

Ensure that at least one OCI notification topic with active subscriptions is configured to deliver monitoring alerts in order to help you respond quickly and efficiently to operational changes within your Oracle Cloud Infrastructure (OCI) account.

Security
Reliability
Performance
efficiency
Operational
excellence
Cost
optimisation

In Oracle Cloud Infrastructure (OCI), the Notifications service can be used to inform you of any events related to your cloud resources. By using alarms, event rules, and event connectors, you can receive human-readable messages through supported endpoints. The service allows you to establish communication channels for publishing messages via topics and subscriptions. When a message is published to a topic, the Notifications service broadcasts the message to all the subscriptions associated with that topic. Messages can be sent through various mediums, including email, SMS, HTTPS endpoints, PagerDuty, Slack, or OCI functions. By creating one or more notification topics with subscriptions, you can keep track of relevant changes made to your Oracle Cloud Infrastructure (OCI) infrastructure.

Audit

To determine if at least one OCI notification topic with active subscriptions is configured to send monitoring alerts, perform the following operations:

Using OCI Console

  1. Sign in to your Oracle Cloud Infrastructure (OCI) account.

  2. Navigate to Notifications console available at https://cloud.oracle.com/notification/.

  3. In the left navigation panel, choose Topics, and select an OCI compartment from the Compartment dropdown menu, to list the OCI notification topics available within that compartment. If no topics are returned and the following message is displayed: No items found., there are no OCI notification topics created for the selected compartment. Therefore, notification alerts for operational changes in the designated OCI compartment are not being received. If one or more topics are returned, continue the Audit process with the next step.

  4. Click on the name (link) of the topic that you want to examine and check for any active subscriptions, listed in the Subscriptions section. An active subscription has State set to Active. If there are no active subscriptions available for the selected topic, the topic configuration. As a result, important monitoring alerts for the selected OCI compartment will not be sent from this topic.

  5. Repeat step no. 4 for each notification topic created within the selected Oracle Cloud Infrastructure (OCI) compartment.

  6. Repeat steps no. 3 – 5 for each OCI compartment available in your Oracle Cloud Infrastructure (OCI) account.

Using OCI CLI

  1. Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:

    oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

  2. The command output should return the requested OCI compartment identifiers (OCIDs):

    [
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  3. Run ons topic list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, the list the ID of each active OCI notification topic available in the selected compartment:

    oci ons topic list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--lifecycle-state 'ACTIVE'
	--query 'data[]."topic-id"'

  4. The command output should return the requested topic IDs. If the ons topic list command output returns an empty array (i.e., []), there are no OCI notification topics created for the selected compartment. Therefore, notification alerts for operational changes in the designated OCI compartment are not being received. If one or more topics are returned, as shown in the example below, continue the Audit process with the next step:

    [
	"ocid1.onstopic.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.onstopic.oc1.ap-sydney-1.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234"
]

  5. Run ons subscription list command (Windows/macOS/Linux) with the name of the OCI notification topic that you want to examine as the identifier parameter and custom output filters to determine if the selected topic has at least one active subscription deployed:

    oci ons subscription list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--topic-id 'ocid1.onstopic.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query 'data'

  6. The command output should return the subscriptions configured for the selected notification topic. If the ons subscription list command does not return an output, there are no subscription deployed for the selected topic. If the command output returns one or more subscription, as shown in the example below, check the "lifecycle-state" attribute value to determine the current state of the resource. If the "lifecycle-state" value is not "ACTIVE", the subscription associated with the topic is not active and the configuration is not compliant. As a result, important monitoring alerts for the selected OCI compartment will not be sent from the selected topic:

    [
	{
		"compartment-id": "ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"delivery-policy": {
			"backoff-retry-policy": {
				"max-retry-duration": 7200000,
				"policy-type": "EXPONENTIAL"
			}
		},
		"endpoint": "user@domain.com",
		"etag": "abcd1234",
		"freeform-tags": {
			"Owner": "Developer"
		},
		"id": "ocid1.onssubscription.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"lifecycle-state": "PENDING",
		"protocol": "EMAIL",
		"topic-id": "ocid1.onstopic.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd"
	}
]

  7. Repeat steps no. 5 and 6 for each notification topic created in the selected Oracle Cloud Infrastructure (OCI) compartment.

  8. Repeat steps no. 3 – 7 for each OCI compartment available in your Oracle Cloud Infrastructure (OCI) account.

Remediation / Resolution

To ensure that at least one OCI notification topic with active subscriptions is configured to deliver monitoring alerts, perform the following operations:

Using OCI Console

  1. Sign in to your Oracle Cloud Infrastructure (OCI) account.

  2. Navigate to Notifications console available at https://cloud.oracle.com/notification/.

  3. In the left navigation panel, choose Topics, and select the appropriate OCI compartment from the Compartment dropdown menu.

  4. Choose Create Topic and provide the following information to create a new OCI notification topic:

    1. For Name, enter a unique name for the new topic.
    2. (Optional) For Description, provide a short description for the resource.
    3. (Optional) Choose Show advanced options and use Tag key and Tag value fields to add tags to organize your resource.
    4. Choose Create to deploy your new OCI notification topic.

  5. Click on the name (link) of the newly created topic, choose Create Subscription, and perform the following actions to create a new subscription for the selected topic:

    1. For Protocol, select the protocol that you want to use. As an example, this guide will use Email for the subscription protocol.
    2. For Email, provide a valid email address for receiving notification alerts.
    3. (Optional) Choose Show advanced options and use Tag key and Tag value fields to add tags to your subscription.
    4. Choose Create to add the new subscription to your OCI notification topic.
    5. The Notifications service sends a confirmation URL to the email address provided in step no. 2. To activate the new subscription, open the Oracle Cloud Infrastructure Notifications Service Subscription Confirmation email and click on the Confirm subscription link.

  6. Repeat steps no. 4 and 5 to create more OCI notification topics in the selected Oracle Cloud Infrastructure (OCI) compartment.

  7. Repeat steps no. 3 – 6 for each OCI compartment available in your Oracle Cloud Infrastructure (OCI) account.

Using OCI CLI

  1. Run ons topic create command (Windows/macOS/Linux) to create a new Oracle Cloud Infrastructure (OCI) notification topic in the selected OCI compartment:

    oci ons topic create
	--name 'cc-project5-monit-topic'
	--description 'Project5 OCI Notification Topic'
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data."topic-id"'

  2. The command output should return the identifier (ID) of the new topic:

    "ocid1.onstopic.oc1.ap-sydney-1.aaaabbbbcccc1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"

  3. Run ons subscription create command (Windows/macOS/Linux) to create a new subscription for the specified OCI topic. As an example, the following command is using the EMAIL subscription protocol:

    oci ons subscription create
	--protocol "EMAIL"
	--subscription-endpoint 'user@domain.com'
	--topic-id 'ocid1.onstopic.oc1.ap-sydney-1.aaaabbbbcccc1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data."id"'

  4. The command output should return the identifier (ID) of the new subscription:

    "ocid1.onssubscription.oc1.ap-sydney-1.aaaabbbbabcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"

  5. The Notifications service sends a confirmation URL to the email address provided for the --subscription-endpoint parameter in step no. 3. To activate the new subscription, open the Oracle Cloud Infrastructure Notifications Service Subscription Confirmation email and click on the Confirm subscription link.

  6. Repeat steps no. 1 - 5 to create more OCI notification topics in the selected Oracle Cloud Infrastructure (OCI) compartment.

  7. Repeat steps no. 1 – 6 for each OCI compartment available in your Oracle Cloud Infrastructure (OCI) account.

References

Publication date Mar 26, 2025

Related OCI-ONS rules