We’re happy to announce the Center for Internet Security (CIS) has updated its Oracle Cloud Infrastructure (OCI) Foundations Benchmark, a set of step-by-step security configuration best practices for Oracle Cloud.

CIS has published version 1.1 with more settings and Oracle Cloud services to secure your Oracle Cloud tenancy.

What’s new?

CIS has updated its OCI Foundations Benchmark to include new security guidance on the following services:

  • Identity and Access Management (IAM)

  • Cloud Guard

  • Object Storage

  • Asset Management

  • Virtual Cloud Network (VCN) Flow Logs

The following sections provide more detail into the benchmark’s security guidance.

Identity and Access Management

The OCI Foundations Benchmark IAM section has been updated to reflect CIS’s current password policy guidance. This guidance recommends that passwords are at least 14 characters in length. Password complexity requirements (upper case, lower case, and symbols) and password expiration requirements have been removed. The CIS’s community’s guidance has found that complexity and expiration requirements have not significantly contributed to the security of passwords. CIS’s guidance mirrors the work done by NIST guidance regarding passwords.

The OCI Foundations Benchmark continues to recommend that tenancy administrators use MFA for authentication. Tenancy administrators should view the current IAM benchmarks on passwords as a baseline and not a maximum-security setting. For those environments who want to mandate the use of symbols or password expiration in their password policy, they can add these features to their IAM settings as their organization’s requirements dictate.

Cloud Guard

The CIS OCI Foundations Benchmark now recommends turning on Cloud Guard for all tenancies.

Cloud Guard is a service that helps you monitor, identify and remediate security configuration issues within your Oracle Cloud tenancy. The Benchmark shows you how to activate Cloud Guard and enables Oracle recommended detector policies that monitor various security configurations within an Oracle Cloud tenancy.

The benchmark also shows users how to use Cloud Guard to audit their OCI tenancy for compliance with the following OCI Foundation Benchmark sections and settings:

  • IAM

    • IAM password policy requires minimum length of 14 or greater.

    • MFA is enabled for all users with a console password.

    • User API keys rotate within 90 days or less.

  • Networking

    • No security lists allow ingress from 0.0.0.0/0 to port 22.

    • No security lists allow ingress from 0.0.0.0/0 to port 3389.

    • No network security groups allow ingress from 0.0.0.0/0 to port 22.

    • No network security groups allow ingress from 0.0.0.0/0 to port 3389.

  • Object Storage

    • No Object Storage buckets are publicly visible.

    • Object Storage buckets are encrypted with a customer-managed key (CMK).

Object Storage

The Foundations Benchmark has added a section on Object Storage. Specifically, the Benchmark now has the following recommendations:

  • No Object Storage buckets are publicly visible.

  • Object Storage buckets are encrypted with CMKs.

Object Storage buckets are private by default. However, you change this setting and create a public bucket. Also, buckets are encrypted with Oracle-managed keys, but you can encrypt them with CMKs.

The benchmark now recommends that Object Storage buckets are not publicly visible and outlines how to verify whether they’re public using the console, the CLI, or Cloud Guard. It also recommends that users encrypt their buckets with a CMK.

Asset Management

The Foundations Benchmark has also added a section on Asset Management. The ability to manage Oracle Cloud assets or resources is accomplished with compartments. Compartments allow administrators to segment Oracle Cloud resources, so that you have right-sized permissions to access only the resources you need.

The Asset Management section now has the following recommendations:

  • Create at least one compartment in your tenancy to store cloud resources.

  • No resources are created in the root compartment.

VCN flow logs

With the general availability of VCN flow logs, you can now activate and retain your flow logs. Flow logs are an important part of compliance frameworks because of the need to retain and analyze network traffic going to and from your cloud tenancy.

The Foundations Benchmark now recommends that all tenancies activate VCN flow logging for all subnets. The benchmark includes instructions on how to activate flow VCN logging from both the console and the CLI.

Want to know more?

Ready to learn more about the CIS Oracle Cloud Infrastructure Foundations Benchmark? Explore the Benchmark now!