Prerequisites

Perform these tasks before you enable Oracle Cloud Guard.

Note

Cloud Guard is not available for free Oracle Cloud Infrastructure tenancies. Before you attempt to enable Cloud Guard, ensure that:
  • You have a paid tenancy.
  • Your tenancy account type is one of these:
    • default_dbaas
    • enterprise_dbaas
    • enterprise

Creating the Cloud Guard User Group

To allow users to work with Cloud Guard, create a user group with administrator privileges.

Cloud Guard deals with security information globally and should be available to a restricted audience.

  1. Log in to the Oracle Cloud Infrastructure console as a tenancy administrator.
  2. Open the navigation menu and click Identity & Security. Under Identity, click Groups.
  3. Click Create Group.
  4. Fill in the required fields and then click Create.
    Provide a name that clearly identifies the group, such as CloudGuardUsers. Avoid entering confidential information.

What's Next

Add Cloud Guard users to the group you created.

If you plan to use an identity provider (IdP), such as Oracle Identity Cloud Service, for federated authentication of users, you must map the Identity Provider Group to the OCI IAM Group you created. See Managing Oracle Identity Cloud Service Users in the Console for steps to follow for Oracle Identity Cloud Service.

Policy Statements for Users

Add a policy statement that enables the Cloud Guard users group you defined to manage Cloud Guard resources.

Note

You can find all the policies required to enable Cloud Guard in the Oracle Cloud Infrastructure Identity and Access Management (IAM) Common Policies topic. On that page, search for "Cloud Guard" and expand the four lists that you find.

For detailed information on individual Cloud Guard policies, see Cloud Guard Policies.

To manage Cloud Guard resources, add the policy following statement to enable all users in the CloudGuardUsers group. Substitute the name you assigned to the group, if you did not name it CloudGuardUsers.

allow group CloudGuardUsers to manage cloud-guard-family in tenancy

With this policy in place, users that you add to the Cloud Guard users group are now ready to proceed with Enabling Cloud Guard.

Note

If for some reason you choose not to add the exact policy statement above, you must add the following policy statement as a minimum requirement to allow users to access Cloud Guard:
allow group CloudGuardUsers to use cloud-guard-config in tenancy
Permissions and Corresponding IAM Policies

Based on typical security functions that might exist in an organization, Cloud Guard supports the following administrator roles. Each role has corresponding IAM resource names, and policies that you can use to control access to Cloud Guard functions.

Administrator Role Cloud Guard Functions IAM Permissions Resources Accessible Functions
Service Owner (Root or Super Admin)
  • Enable Cloud Guard
  • Create IAM groups and policies
cloud-guard-family Manage cloud-guard-family in tenancy
Security Architect (Security Analyst)
  • Clone detector recipes
  • Manage detectors
  • Assign detectors recipes to targets
  • Read/manage problems and problem scores and other metrics

cloud-guard-detectors

cloud-guard-targets

cloud-guard-detector-recipes

cloud-guard-responder-recipes

cloud-guard-managed-lists

cloud-guard-problems

cloud-guard-risk-scores

cloud-guard-security-scores

Manage/Inspect/Read* these resources in tenancy/compartment
Security Operations Admin
  • Manage, Inspect, or Read* Cloud Guard problems
cloud-guard-problems Manage/Inspect/Read* Cloud Guard problems

* Read vs. Inspect: Read allows viewing details of problems that are listed; Inspect only allows viewing the problems list. Read is a superset of Inspect.

Caution

Ensure that only the root administrator can delete targets.
Sample Policy Use Cases

The use cases listed in the following table to provide examples of administrator roles and IAM policies you could configure to support them.

Use Case Minimum Required Policies Allowed, Disallowed Functions Permissions Auth.
Read-only access to Cloud Guard data and configuration for all compartments Admin can create a special group like cgreadgroup, add users to this group, and then add these policies:
  • allow group cgreadgroup to read cloud-guard-family in tenancy
  • allow group cgreadgroup to read compartments in tenancy

Allowed: read Overview, Problems, Detectors, Targets, and Responder Activity pages.

Disallowed: edit or clone detector recipes. create targets, delete recipes from targets, and create managed lists.

Overview Page - Read: Yes
Problems - Read: Yes
Problems - Manage: No
Problems - Remediate: No
Targets - Read: Yes
Targets - Manage: No
Detectors Recipes/Rules - Read: Yes
Detectors Recipes/Rules - Manage: No
Responder Activity - Read: Yes
Read-only access to Cloud Guard data and configuration for one compartment Admin can create a special group like cggroupcomptonly, add users to this group. then add these policies ('OCIDemo' is the name of the compartment here):
  • allow group cggroupcomptonly to read compartments in tenancy where target.compartment.name = 'OCIDemo'
  • allow group cggroupcomptonly to read cloud-guard-family in compartment OCIDemo
  • allow group cggroupcomptonly to inspect cloud-guard-config in tenancy

Allowed: read data only for specified compartment, on Overview, Problems, Detectors, and Targets pages.

Disallowed: read those pages showing data for other compartments.

Overview Page - Read: Yes
Problems - Read: Yes
Problems - Manage: No
Problems - Remediate: No
Targets - Read: Yes
Targets - Manage: No
Detectors Recipes and Rules - Read: Yes
Detectors Recipes and Rules - Manage: No
Responder Activity - Read: Yes
Read-only access to Cloud Guard detector recipes Admin can create a special group like cgreaddetrecipes, add users to this group, then add these policies:
  • allow group cgreaddetrecipes to read cloud-guard-detector-recipes in tenancy
  • allow group cgreaddetrecipes to read compartments in tenancy
  • allow group cgreaddetrecipes to inspect cloud-guard-config in tenancy

Allowed: read pages for detector recipes and rules.

Disallowed: clone or delete recipes. Manage rules for a recipe, view pages outside of Detectors and Responders.

Overview Page - Read: No
Problems - Read: No
Problems - Manage: No
Problems - Remediate: No
Targets - Read: No
Targets - Manage: No
Detectors Recipes and Rules - Read: Yes
Detectors Recipes and Rules - Manage: No
Responder Activity - Read: No
Read-only access to Cloud Guard problems, excluding Security Score and Risk Score Admin can create a special group like cgreadproblems, add users to this group, then add these policies:
  • allow group cgreadproblems to read cloud-guard-problems in tenancy
  • allow group cgreadproblems to read compartments in tenancy
  • allow group cgreadproblems to inspect cloud-guard-config in tenancy

Allowed on Overview page, view:

  • Problems Snapshot
  • Problems Grouped by...
  • User Activity Problems
  • New Problems Trendline

Disallowed on Overview page, access to:

  • Security Score
  • Risk Score
  • Security Recommendations
  • Responder Status
  • Security Score Trendline
  • Remediation Trendline

Access to all other pages is also disallowed.

Overview Page - Read:

(limited to Problems Snapshot, Problems Grouped by..., User Activity Problems, and New Problems Trendline)

Yes
Problems - Read: No
Problems - Manage: No
Problems - Remediate: No
Targets - Read: No
Targets - Manage: No
Detectors Recipes and Rules - Read: No
Detectors Recipes and Rules - Manage: No
Responder Activity - Read: No
Read-only access to Cloud Guard problems, including Security Score and Risk Score Admin can create a special group of users as in the preceding row, with policies detailed there, then add these policies:
  • allow group cgreadproblems to inspect cloud-guard-risk-scores in tenancy
  • allow group cgreadproblems to inspect cloud-guard-security-scores in tenancy

Allowed on Overview page, view:

  • Security Score
  • Risk Score
  • Problems Snapshot
  • Problems Grouped by...
  • User Activity Problems
  • New Problems Trendline

Disallowed on Overview page, access to:

  • Security Recommendations
  • Responder Status
  • Security Score Trendline
  • Remediation Trendline

Access to all other pages is also disallowed.

Overview Page - Read:

(limited to Security Score, Risk Score, Problems Snapshot, Problems Grouped by..., User Activity Problems, and New Problems Trendline)

Yes
Problems - Read: No
Problems - Manage: No
Problems - Remediate: No
Targets - Read: No
Targets - Manage: No
Detectors Recipes and Rules - Read: No
Detectors Recipes and Rules - Manage: No
Responder Activity - Read: No
Cloud Guard Permissions Reference

The following table summarizes the Cloud Guard permissions that are available.

Permission Purpose Required Scope Notes

cloud-guard-family

Collects of all the permissions that exist for Cloud Guard into a single permission.

Using any of the meta-verbs inspect, read, use, and manage for this grants the same privileges for all other permissions.

Use this permission with caution.

tenancy or compartment

Common permission name for all the permissions.

cloud-guard-detectors

No longer needed. Static data is available without authorization.

NA

Not being used from console.

cloud-guard-targets

Required to view and manage target data for the compartment or tenancy.

The inspect meta-verb is needed to minimally populate the selection list for filtering problems. It can be scoped either to tenancy or to one or multiple compartments.

The read meta-verb gives the privilege to view the target configuration.

The use meta-verb is required to update any previously created target.

The manage meta-verb is required to manage lifecycle of target.

Recommended: Scope this permission to compartment to allow user to perform operations only within that compartment.

tenancy or compartment

The data is used in Targets page and also to populate drop-down field to filter Problems page.

cloud-guard-config

Required to view Cloud Guard configuration for tenancy.

Without this permission, users can't view Overview and other Cloud Guard pages. They are redirected to the Cloud Guard Enable page.

The inspect meta-verb to be able to view cloud guard enablement status along with configured reporting region details.

The use or manage meta-verbs should be restricted to users that need to have capabilities to enable or disable cloud guard.

tenancy

This data is used to identify Cloud Guard status and reporting region details. All subsequent calls from console are redirected to reporting region for performing CRUDL operations.

The configured reporting region is displayed on the Settings page.

cloud-guard-managed-lists

Required to view and manage the managed list data for the compartment or tenancy.

The inspect meta-verb is required at tenancy scope if users need to clone Oracle-managed lists that exist in root compartment.

The read meta-verb is required to view a managed list configuration and to associate the managed list with conditional group, or with settings that exist in target, detector recipe, or responder recipe. If managed list exists in tenancy scope, then policy should be scoped at tenancy; if managed list exists in compartment, then policy should be scoped to compartment.

The use meta-verb provides more capabilities on top of read, to modify existing managed list to which they already have read access.

The manage meta-verb is required to create a new managed list, and to manage the lifecycle of customer created managed lists.

tenancy or compartment

The data is used in Managed Lists page and also to populate the values associating a managed list with conditional groups or settings that exist in targets, detector recipes, or responder recipes.

cloud-guard-problems

Required to view and perform actions on problems that exist in compartment or tenancy.

The inspect meta-verb is required to display data in the Overview page, and also to list the problems on the Problems page. It can be scoped to tenancy, where problems identified for all compartments are visible. Or it can be scoped to a compartment to restrict access to problems for the specific compartment.

If the intent is to view problem details, then the read meta-verb is required.

The use or manage meta-verbs should be added to the policy if the user can take actions on problems such as "Mark as Resolved," "Dismiss," or "Remediate" on single or multiple problems.

tenancy or compartment

The data is used on the Problems page, and also on the Overview page to populate these panels:

  • Problems Snapshot
  • User Activity Problems
  • Problems Grouped by...
  • New Problems Trendline

The overview page minimally requires the inspect meta-verb to display the panels.

cloud-guard-detector-recipes

Required to view and manage detector recipe data for the compartment or tenancy.

If users need to clone Oracle-managed recipes that exist in root compartment, the inspect meta-verb is required at tenancy scope.

The read meta-verb is required to view a recipe configuration and to attach recipes to a target. If recipes exist in tenancy scope, then policy should be scoped at tenancy; if recipes exist in compartment, then policy should be scoped to compartment.

The use meta-verb provides more capabilities to modify conditional groups and other settings in existing recipes for which users already have read access.

The manage meta-verb is required to clone a recipe and to manage the lifecycle of cloned recipes.

tenancy or compartment

The data is used on Detector Recipes page and also to populate the selection list used when attaching the detector recipe to a target.

cloud-guard-responder-recipes

Required to view and manage responder recipe data for the compartment or tenancy.

If users need to clone Oracle-managed recipes that exist in root compartment, the inspect meta-verb is required at tenancy scope.

The read meta-verb is required to view a recipe configuration and to attach a recipe to a target. If recipes exist in tenancy scope, then policy should be scoped at tenancy; if recipes exist in compartment, then policy should be scoped to compartment.

The use meta-verb provides more capabilities to modify conditional groups and other settings in existing recipes for which they already have read access.

The manage meta-verb is needed to clone a recipe and manage the lifecycle of cloned recipes.

tenancy or compartment

The data is used on Responder Recipes" page and also to populate the selection list when attaching a responder recipe to a target.

cloud-guard-responder-executions

Required to view and manage responder activity data for the compartment or tenancy.

The inspect meta-verb is minimal requirement to populate data in Overview page and Responder Activity pages.

The read meta-verb is required to view specific responder activity data. Not required from console.

The use or manage meta-verbs are required to perform actions like "Skip" or "Execute" on specific responder activity, or to "Skip" execution for multiple responder activities.

tenancy or compartment

The inspect meta-verb:

  • This data is used to populate Responder Status panel and Remediation Trendline on Overview page.
  • This data is also used on Responder Activity page.

The read meta-verb:

  • Not required for console.

The use or manage meta-verbs:

  • Required for skip and execute actions on specific responder activity, or to perform bulk skip for multiple responder activities.

cloud-guard-recommendations

Required to view recommendations that improve risk score and security score associated with the tenancy.

The inspect meta-verb is the minimal requirement.

tenancy or compartment

This data is visible in Overview page in Security Recommendations panel.

cloud-guard-user-preferences

Required to manage user-preferences for Cloud Guard console. Currently used to manage status of guided tour for logged-in user. Saving the user preference skips prompt to complete the guided tour in subsequent logins.

The inspect meta-verb is the minimal requirement to get current user's preference.

The use or manage meta-verb must be used to also persist the preference.

tenancy

This data is visible in Guided Tour section of Settings page.

cloud-guard-risk-scores

Required to view risk score data for the tenancy.

Without this permission, the users can't view risk score associated with the tenancy.

The inspect meta-verb is the minimal requirement.

tenancy

This data is visible on Overview page in Risk Score panel.

cloud-guard-security-scores

Required to view security score rating for the tenancy.

Without this permission, users can't view security score associated with tenancy.

The inspect meta-verb is the minimal requirement.

tenancy

This data is visible on Overview page, in Security Score Rating and Security Score Trendline.