Prerequisites
Perform these tasks before you enable Oracle Cloud Guard.
Cloud Guard is not available for free Oracle Cloud Infrastructure tenancies. Before you attempt to enable Cloud Guard, ensure that:
- You have a paid tenancy.
- Your tenancy account type is one of these:
- default_dbaas
- enterprise_dbaas
- enterprise
Creating the Cloud Guard User Group
To allow users to work with Cloud Guard, create a user group with administrator privileges.
Cloud Guard deals with security information globally and should be available to a restricted audience.
What's Next
Add Cloud Guard users to the group you created.
If you plan to use an identity provider (IdP), such as Oracle Identity Cloud Service, for federated authentication of users, you must map the Identity Provider Group to the OCI IAM Group you created. See Managing Oracle Identity Cloud Service Users in the Console for steps to follow for Oracle Identity Cloud Service.
Policy Statements for Users
Add a policy statement that enables the Cloud Guard users group you defined to manage Cloud Guard resources.
You can find all the policies required to enable Cloud Guard in the Oracle Cloud Infrastructure Identity and Access Management (IAM) Common Policies topic. On that page, search for "Cloud Guard" and expand the four lists that you find.
For detailed information on individual Cloud Guard policies, see Cloud Guard Policies.
To manage Cloud Guard resources, add the policy following
statement to enable all users in the CloudGuardUsers
group. Substitute
the name you assigned to the group, if you did not name it
CloudGuardUsers
.
allow group CloudGuardUsers to manage cloud-guard-family in tenancy
With this policy in place, users that you add to the Cloud Guard users group are now ready to proceed with Enabling Cloud Guard.
If for some reason you choose not to add the exact policy statement above, you must add the following policy statement as a minimum requirement to allow users to access Cloud Guard:
allow group CloudGuardUsers to use cloud-guard-config in tenancy
Based on typical security functions that might exist in an organization, Cloud Guard supports the following administrator roles. Each role has corresponding IAM resource names, and policies that you can use to control access to Cloud Guard functions.
Administrator Role | Cloud Guard Functions | IAM Permissions Resources | Accessible Functions |
---|---|---|---|
Service Owner (Root or Super Admin) |
|
cloud-guard-family | Manage cloud-guard-family in tenancy |
Security Architect (Security Analyst) |
|
cloud-guard-detectors cloud-guard-targets cloud-guard-detector-recipes cloud-guard-responder-recipes cloud-guard-managed-lists cloud-guard-problems cloud-guard-risk-scores cloud-guard-security-scores |
Manage/Inspect/Read* these resources in tenancy/compartment |
Security Operations Admin |
|
cloud-guard-problems | Manage/Inspect/Read* Cloud Guard problems |
* Read vs. Inspect: Read allows viewing details of problems that are listed; Inspect only allows viewing the problems list. Read is a superset of Inspect.
Ensure that only the root administrator can delete targets.
The use cases listed in the following table to provide examples of administrator roles and IAM policies you could configure to support them.
Use Case | Minimum Required Policies | Allowed, Disallowed Functions | Permissions | Auth. |
---|---|---|---|---|
Read-only access to Cloud Guard data and configuration for all compartments | Admin can create a special group like
cgreadgroup, add users to this group, and then add these
policies:
|
Allowed: read Overview, Problems, Detectors, Targets, and Responder Activity pages. Disallowed: edit or clone detector recipes. create targets, delete recipes from targets, and create managed lists. |
Overview Page - Read: | Yes |
Problems - Read: | Yes | |||
Problems - Manage: | No | |||
Problems - Remediate: | No | |||
Targets - Read: | Yes | |||
Targets - Manage: | No | |||
Detectors Recipes/Rules - Read: | Yes | |||
Detectors Recipes/Rules - Manage: | No | |||
Responder Activity - Read: | Yes | |||
Read-only access to Cloud Guard data and configuration for one compartment | Admin can create a special group like
cggroupcomptonly , add users to this group. then
add these policies ('OCIDemo' is the name of the compartment
here):
|
Allowed: read data only for specified compartment, on Overview, Problems, Detectors, and Targets pages. Disallowed: read those pages showing data for other compartments. |
Overview Page - Read: | Yes |
Problems - Read: | Yes | |||
Problems - Manage: | No | |||
Problems - Remediate: | No | |||
Targets - Read: | Yes | |||
Targets - Manage: | No | |||
Detectors Recipes and Rules - Read: | Yes | |||
Detectors Recipes and Rules - Manage: | No | |||
Responder Activity - Read: | Yes | |||
Read-only access to Cloud Guard detector recipes | Admin can create a special group like
cgreaddetrecipes, add users to this group, then add these
policies:
|
Allowed: read pages for detector recipes and rules. Disallowed: clone or delete recipes. Manage rules for a recipe, view pages outside of Detectors and Responders. |
Overview Page - Read: | No |
Problems - Read: | No | |||
Problems - Manage: | No | |||
Problems - Remediate: | No | |||
Targets - Read: | No | |||
Targets - Manage: | No | |||
Detectors Recipes and Rules - Read: | Yes | |||
Detectors Recipes and Rules - Manage: | No | |||
Responder Activity - Read: | No | |||
Read-only access to Cloud Guard problems, excluding Security Score and Risk Score | Admin can create a special group like
cgreadproblems, add users to this group, then add these
policies:
|
Allowed on Overview page, view:
Disallowed on Overview page, access to:
Access to all other pages is also disallowed. |
Overview Page - Read: (limited to Problems Snapshot, Problems Grouped by..., User Activity Problems, and New Problems Trendline) |
Yes |
Problems - Read: | No | |||
Problems - Manage: | No | |||
Problems - Remediate: | No | |||
Targets - Read: | No | |||
Targets - Manage: | No | |||
Detectors Recipes and Rules - Read: | No | |||
Detectors Recipes and Rules - Manage: | No | |||
Responder Activity - Read: | No | |||
Read-only access to Cloud Guard problems, including Security Score and Risk Score | Admin can create a special group of users as in the
preceding row, with policies detailed there, then add these
policies:
|
Allowed on Overview page, view:
Disallowed on Overview page, access to:
Access to all other pages is also disallowed. |
Overview Page - Read: (limited to Security Score, Risk Score, Problems Snapshot, Problems Grouped by..., User Activity Problems, and New Problems Trendline) |
Yes |
Problems - Read: | No | |||
Problems - Manage: | No | |||
Problems - Remediate: | No | |||
Targets - Read: | No | |||
Targets - Manage: | No | |||
Detectors Recipes and Rules - Read: | No | |||
Detectors Recipes and Rules - Manage: | No | |||
Responder Activity - Read: | No |
The following table summarizes the Cloud Guard permissions that are available.
Permission | Purpose | Required Scope | Notes |
---|---|---|---|
cloud-guard-family |
Collects of all the permissions that exist for Cloud Guard into a single permission. Using any of the meta-verbs
|
tenancy or compartment |
Common permission name for all the permissions. |
cloud-guard-detectors |
No longer needed. Static data is available without authorization. |
NA |
Not being used from console. |
cloud-guard-targets |
Required to view and manage target data for the compartment or tenancy. The The The The Recommended: Scope this permission to compartment to allow user to perform operations only within that compartment. |
tenancy or compartment |
The data is used in Targets page and also to populate drop-down field to filter Problems page. |
cloud-guard-config |
Required to view Cloud Guard configuration for tenancy. Without this permission, users can't view Overview and other Cloud Guard pages. They are redirected to the Cloud Guard Enable page. The The |
tenancy |
This data is used to identify Cloud Guard status and reporting region details. All subsequent calls from console are redirected to reporting region for performing CRUDL operations. The configured reporting region is displayed on the Settings page. |
cloud-guard-managed-lists |
Required to view and manage the managed list data for the compartment or tenancy. The The The The |
tenancy or compartment |
The data is used in Managed Lists page and also to populate the values associating a managed list with conditional groups or settings that exist in targets, detector recipes, or responder recipes. |
cloud-guard-problems |
Required to view and perform actions on problems that exist in compartment or tenancy. The If the intent is to view problem details, then the
The |
tenancy or compartment |
The data is used on the Problems page, and also on the Overview page to populate these panels:
The overview page minimally requires the |
cloud-guard-detector-recipes |
Required to view and manage detector recipe data for the compartment or tenancy. If users need to clone Oracle-managed recipes that exist in root
compartment, the The The The |
tenancy or compartment |
The data is used on Detector Recipes page and also to populate the selection list used when attaching the detector recipe to a target. |
cloud-guard-responder-recipes |
Required to view and manage responder recipe data for the compartment or tenancy. If users need to clone Oracle-managed recipes that exist in root
compartment, the The The The |
tenancy or compartment |
The data is used on Responder Recipes" page and also to populate the selection list when attaching a responder recipe to a target. |
cloud-guard-responder-executions |
Required to view and manage responder activity data for the compartment or tenancy. The The The |
tenancy or compartment |
The
The
The
|
cloud-guard-recommendations |
Required to view recommendations that improve risk score and security score associated with the tenancy. The |
tenancy or compartment |
This data is visible in Overview page in Security Recommendations panel. |
cloud-guard-user-preferences |
Required to manage user-preferences for Cloud Guard console. Currently used to manage status of guided tour for logged-in user. Saving the user preference skips prompt to complete the guided tour in subsequent logins. The The |
tenancy |
This data is visible in Guided Tour section of Settings page. |
cloud-guard-risk-scores |
Required to view risk score data for the tenancy. Without this permission, the users can't view risk score associated with the tenancy. The |
tenancy |
This data is visible on Overview page in Risk Score panel. |
cloud-guard-security-scores |
Required to view security score rating for the tenancy. Without this permission, users can't view security score associated with tenancy. The |
tenancy |
This data is visible on Overview page, in Security Score Rating and Security Score Trendline. |