OCI Security: cheatsheet

WAF

  • Protects from  cross-site scripting, sql injection, bot management
  • Allow request to pass / error page due to blocked request/audit log the request
  • Actions: Log and allow, Detect only, Block, Redirect, By-Pass, Show Captcha
  • Condition include [country region/ url path/ ip address/ http header]

Vault

  • Dedicated Hardware [Virtual Private Vault]
  • Shared Hardware
  • Protection Mode
    • HSM [Hardwar]
    • Software : those are not kept inside the vault
  • Algorithm
    • AWS
    • RSA
    • ECDSA
  • Master encryption will provide a Data encryption key, which will be used for encryption
  • Master encryption key can be rotated without affecting encrypted data
  • Vault are not available for direct deletion, there is a grace period of 30 days
  • There are two endpoints, cryptographic and management
  • After rotation, a new version is created for the master key and old will also remain

Security Zone

A security zone is associated with a compartment and a security zone recipe.OCI validates the creation/update operations of resources against the list of policies defined in the security zone recipe. If any security zone policy is violated, then the operation is denied.

  • Resources can’t be moved from a security zone to a standard compartment because it might be less secure.
  • Data in a security zone can’t be copied to a standard compartment because it might be less secure.
  • All the required components for a resource in a security zone must also be located in a security zone. Resources that are not in a security zone might be vulnerable. For example, a compute instance (Compute)  in a security zone can’t use a boot volume  that is not in a security zone.
  • Resources in a security zone must not be accessible from the public internet.
  • Resources in a security zone must be encrypted using customer-managed keys.
  • Resources in a security zone must be regularly and automatically backed up.
  • Resources in a security zone must use only configurations and templates approved by Oracle.

Security Advisor

Available for

  • Secure Bucket
  • Secure File System
  • Secure Instance
  • Secure Block Volume

Cloud Guard

Cloud Guard examines your Oracle Cloud Infrastructure resources for security weakness related to configuration, and your operators and users for risky activities. Upon detection, Cloud Guard can suggest, assist, or take corrective actions, based on your configuration.

there are

  • Target
  • Detecter / Detected Receipe
  • Responder

Oracle recommends that you enable Cloud Guard in your tenancy. You can configure a Cloud Guard target to examine your entire tenancy (root compartment and all subcompartments), or you can configure targets to check only specific compartments 

Security Best Practices

Secure Your Database

Data Safe is a unified control center for Oracle cloud and on-premises databases. Use Data Safe to asses database and data security configuration, detect associated risk for user accounts, identify existing sensitive data, implement controls to protect data, and audit user activity.

  • Extend Data Safe audit retention policy to one year.
  • Mask data identified as sensitive by Data Discovery.
  • Use Security Assessment to identify recommended security controls by Center for Internet Security (CIS), General Data Protection Regulation (GDPR), and Department of Defense library of Security Technical Implementation Guides (STIG).
  • Setup alerts for key events in Data Safe Activity Auditing

Securing Compute

  • Putting up the instance in private subnet and access to instance utilizing Bastion Host
  • Instance Shield while provision the instance for boot time security
  • To prevent inadvertent or malicious termination of critical instances (for example, production instances), Oracle recommends that you give INSTANCE_DELETE permission to a minimal set of groups. Give DELETE permissions only to tenancy and compartment admins.

Securing Object Storage

  • Bucket PAR to allow writes to a bucket
  • Object PAR for reading an object
  • Object PAR for writing an object
  • Object PAR to read or write an object
  • All data in Object Storage is encrypted at rest by using AES-256. Encryption is on by default and cannot be turned off. Each object is encrypted with its encryption key, and the object encryption keys are encrypted with a master encryption key
  • By default bucket is private

Securing Block Storage

  • The resource types in volume-family arevolumes ,volume-attachments, and volume-backupsVOLUME_DELETEVOLUME_ATTACHMENT_DELETE and VOLUME_BACKUP_DELETE
  • By default, volumes and their backups are encrypted at rest using AES-256

General

  • Separate the internet-facing components from the back-end, not just using subnets and security lists, but by separating the compartments completely into their own Virtual Cloud Networks, linked by a Local Peering Gateway
  • Added Web Application Firewall to protect the load balancer, and ultimately the web application.
  • Made the Autonomous Database and Object Storage only available over private IP addresses.
  • Changed from using Oracle-managed keys to customer-managed encryption keys for all block, boot, and object storage.
  • You can enforce MFA for a resource in the access policy that allows access to the resource. For example, the following policy enforces MFA when users in GroupA manage resources that belong to the instance family in any compartment.
allow group GroupA to manage instance-family in tenancy where request.user.mfaTotpVerified='true'

the following policy only allows users in the PolicyAdmins group to create policies, but not to edit or delete them.

Allow group PolicyAdmins to manage policies in tenancy where
      request.permission='POLICY_CREATE'

References:

Leave a Reply

Your email address will not be published. Required fields are marked *