What's new in the CIS v1.2 benchmark for OCI
Our analysis of the latest CIS OCI recommendations.
The Center for Internet Security (CIS) just released an updated version (v1.2) of their CIS Oracle Cloud Infrastructure (OCI) Benchmark. The new version of the benchmark includes updated security guidance for services such as IAM, Networking, and Storage. We’ll review the new recommendations here.
Our take on the new recommendations
The common theme is aligning common controls from other Cloud Service Provider (CSP) benchmarks (AWS, Azure, etc):
1.5 Ensure IAM password policy expires passwords within 365 days - Setting passwords to expire after 365 days through IAM password policies will at least automatically enforce password rotation and expiration. However most organizations we see will enforce <90 days for their duration.
1.6 Ensure IAM password policy prevents password reuse - Common guidance across other CIS benchmarks, this control helps prevent potential security breaches and limits opportunities for malicious actors to compromise user accounts.
1.13 Ensure Dynamic Groups are used for OCI instances, OCI Cloud Databases and OCI Function to access OCI resources - Dynamic Groups are one way to grant appropriate IAM policies. While other benchmarks make similar recommendations too, in practice we see users set policies by roles or inline if they have appropriate controls and processes to manage at scale.
1.14 Ensure storage service-level admins cannot delete resources they manage - To prevent unintended or unauthorized deletion of storage resources, a handy solution is to configure OCI IAM policies that grant OCI groups permissions to manage storage-related services without granting them the ability to delete those storage resources. With any preventative control, you take the penalty of the UX; you need a process to grant exceptions in a timely manner.
All new controls are based on least privilege principles, and check that access is restricted to specific scopes:
2.6 Ensure Oracle Integration Cloud (OIC) access is restricted to allowed sources - OIC instances (not to be confused with OCI!) are created within a secure private network managed by Oracle; they have public endpoints. Protect your OIC instances from unauthorized network access by configuring ingress filtering of network traffic and limiting access to your approved corporate IP addresses or Virtual Cloud Networks (VCN).
2.7 Ensure Oracle Analytics Cloud (OAC) access is restricted to allowed sources or deployed within a Virtual Cloud Network - For a secure deployment, it is best to create new Oracle Analytics Cloud (OAC) instances within a VCN and configure Access Control Rules to restrict access to corporate IP addresses or existing VCNs for already deployed OAC instances.
2.8 Ensure Oracle Autonomous Shared Databases (ADB) access is restricted to allowed sources or deployed within a Virtual Cloud Network - Most databases aren't meant to be accessible to the public. As a rule, assume your workloads are internal and make exceptions when public access is required.
Storage services are elevated to their own section called "Storage," which offers guidance on utilizing Object Storage, Block Volumes, and File Storage Services:
- 4.1.2 Ensure Object Storage Buckets are encrypted with a Customer Managed Key,
- 4.2.1 Ensure Block Volumes are encrypted with Customer Managed Keys (CMK),
- 4.2.2 Ensure Boot Volumes are encrypted with Customer Managed Key (CMK),
- 4.3.1 Ensure File Storage Systems are encrypted with Customer Managed Keys (CMK)
All are similar recommendations to encrypt with CMKs vs Oracle Managed Keys. CMKs provide greater control than OCI-managed encryption keys; they enable you to isolate encryption per resource. However, managing CMKs can be a lot of overhead if it is not required by your organizational Cryptography or Encryption policy. Using Oracle Managed Keys may suffice for your organization and would be easier to manage at scale.
- 4.1.3 Ensure Versioning is Enabled for Object Storage Buckets - Enabling versioning for Object Storage buckets adds an extra layer of integrity to your objects. It enables you to handle accidental deletions by restoring prior revisions. While a good practice, the additional storage can cost more. So you should evaluate the tradeoff.
Try the new OCI CIS v1.2 controls!
The Steampipe OCI Compliance mod is packed with over 80 controls and benchmarks that check your accounts for compliance with CIS v1.1 and CIS v1.2. If you're new to Steampipe, download Steampipe, install and configure the AWS plugin, and run these commands.
git clone https://github.com/turbot/steampipe-mod-oci-compliancecd steampipe-mod-oci-compliancesteampipe check oci_compliance.benchmark.cis_v120
If you've already installed Steampipe and the OCI plugin, and cloned the OCI Compliance mod, then you can just pull the latest changes.
cd steampipe-mod-oci-compliancegit pullsteampipe check oci_compliance.benchmark.cis_v120
Here's a sample report in the console.
You can output results to formats including JSON, CSV, HTML, and ASFF, or use custom output templates to create new output formats.
To view the OCI CIS v1.2 benchmark in your browser, run this command in the same cloned repo.
http://localhost:9194 in your browser and view the dashboard.
We love open source!
Steampipe delivers a full suite of tools to build, execute and share cloud configuration, compliance, and security frameworks using HCL + SQL! We would love your help to expand the open source documentation and control coverage for CIS, PCI, HIPAA, NIST, and more. The best way to get started is to join our Slack community; we would love to talk to you!