Practices for Lesson: Cloud

Security Posture
Management
Practice: Explore Cloud Guard Components

Tasks
1. Sign in to the Oracle Cloud account.
Note: This practice may not work on the OU account. Please use a 30-days free trial Oracle
cloud account if needed.

2. Cloud Guard is enabled in your tenancy. You will make your compartment a target and look
into the features of Cloud Guard.

3. To navigate to Cloud Guard, use Menu > Identity & Security > Cloud Guard

Copyright © 2021, Oracle and/or its affiliates.

102 Practices for Lesson: Cloud Security Posture Management

4. You are taken to the Cloud Guard home page. A dashboard with the current Cloud Guard
observations is displayed.

5. If the Guided Tour is displayed, go through the same to explore the various features. You
can also click Stop tour if you are not interested in the tour.

6. Once you close the tour, the dashboard with various options under Cloud Guard on the left
side in the browser window is displayed.

Copyright © 2021, Oracle and/or its affiliates.

Practices for Lesson: Cloud Security Posture Management 103

7. Click Detector Recipes.

8. The Oracle Managed recipes are listed within the root compartment. Ensure you have
chosen the root compartment in the scope for compartment.

9. Two detector recipes are listed, one is of type Configuration and the other of type Activity.
Click the link to Oracle Configuration Detector Recipe to look into the detector details.

Copyright © 2021, Oracle and/or its affiliates.

104 Practices for Lesson: Cloud Security Posture Management

10. Various detector rules are part of this recipe.

11. To look into the details of a particular rule, click the expand icon as shown below. The
example is for a rule titled “VCN Security List allows traffic to restricted port.”

12. This rule is identified as a critical risk level. Look into the details of other rules listed.

Copyright © 2021, Oracle and/or its affiliates.

Practices for Lesson: Cloud Security Posture Management 105

13. If you are interested to look into specific risk-level related rules, you can use the filter for
risk level, and only those rules will be listed.

14. In the breadcrumb on the top left, click Detector Recipes to go back to the Detector Recipes
page.

15. Click the OCI Activity detector recipe and explore the rules that are within it.

16. You also see that for the built-in, Oracle-Managed detector recipes, you have the ability to
clone the recipe. You can clone an existing recipe and customize it to your needs.

Copyright © 2021, Oracle and/or its affiliates.

106 Practices for Lesson: Cloud Security Posture Management

17. Go to the Detector Recipes page and click Responder Recipes.

18. There is one responder recipe listed, which is an Oracle Managed Recipe.

19. Click the responder recipe and look into the responder rules part of this recipe. Click the
expand icon to look into the different rules that are present.

Copyright © 2021, Oracle and/or its affiliates.

Practices for Lesson: Cloud Security Posture Management 107

20. Responder recipes can also be cloned and customized by tenants.

21. Use the breadcrumb and go to the Responder Recipe page, and from the Cloud Guard
panel on the left side, click Managed Lists.

Copyright © 2021, Oracle and/or its affiliates.

108 Practices for Lesson: Cloud Security Posture Management

22. Click the Oracle Cloud Guard CIDR Managed list. It is a list of PUBLIC IP address CIDR
created as a managed list.

23. Go back to the Managed Lists listing page, and you see an option to create your own
managed list. Click Create Managed List; you will get a pop-up window as shown below.

Copyright © 2021, Oracle and/or its affiliates.

Practices for Lesson: Cloud Security Posture Management 109

24. You can create your own managed listed, which could be of various types based on your
needs/requirements.

25. Click Cancel; you will not be creating a managed list in this practice.

26. On the left panel for Cloud Guard, click Settings.

27. You can see the reporting region listed. If you are in the Home region of your tenancy, you
will also see the option to Disable Cloud Guard (if it is already enabled). If you are in any
other region, this button will be disabled.

This completes the task of exploring Cloud Guard components.

Copyright © 2021, Oracle and/or its affiliates.

110 Practices for Lesson: Cloud Security Posture Management

Practice: Enable Cloud Guard

Tasks
1. Log in to the browser console and go to Security-> Cloud Guard.

2. Click Detector Recipes. Ensure you are in the root compartment so that you see the two
Oracle Managed detector recipes.

3. Click Clone to clone an Oracle Managed recipe and create your own detector recipe.

Copyright © 2021, Oracle and/or its affiliates.

Practices for Lesson: Cloud Security Posture Management 111

4. In the pop-up window for the clone, enter the following:

Cloning – OCI Configuration Detector Recipe (Oracle Managed)

Name – Custom Configuration Detector
Description – Enter any meaningful description
Compartment Assigned – Choose the compartment assigned to you

5. Click Clone to create your own detector recipe based on the Oracle Managed recipe.

Copyright © 2021, Oracle and/or its affiliates.

112 Practices for Lesson: Cloud Security Posture Management

6. In the compartment selection (under Filter on the left side), choose your compartment,
where the cloned recipe resides to see the cloned detector recipe you created.

7. Click the recipe name, and you will see the list of detector rules. For now, you will not make
any changes (if required, you can customize the rules).

8. Next, you will enable Cloud Guard in your compartment using this recipe.

Copyright © 2021, Oracle and/or its affiliates.

Practices for Lesson: Cloud Security Posture Management 113

9. Use the breadcrumb and go to the Detector Recipes page. Click Targets.

10. Click Create New Target button.

11. In the pop-up window, enter the following details:

Target Name – <YourCompName>_CG

Description – Meaningful description
Compartment Assigned – <YourCompartment>
Configuration Detector Recipe – Custom Detector Recipe you created earlier

Copyright © 2021, Oracle and/or its affiliates.

114 Practices for Lesson: Cloud Security Posture Management

 Activity Detector Recipe – Oracle Managed Activity Detector Recipe
Responder Recipe – None

12. Click Create to create target. Your target is created and listed.

Copyright © 2021, Oracle and/or its affiliates.

Practices for Lesson: Cloud Security Posture Management 115

13. Click your target to look into the details.

14. You can see the recipes that you associated are listed in the detector and responder
recipes, and the target is the compartment you selected.

15. Wait for Cloud Guard to evaluate your current configuration with detectors and list its
observations. You will need to wait for 25–30 minutes; take a break and visit the screen
again and continue with the next steps.

16. On Cloud Guard page, go to the Problems section.

Copyright © 2021, Oracle and/or its affiliates.

116 Practices for Lesson: Cloud Security Posture Management

17. There are a list of problems identified based on the practices you did earlier, which includes
about the VCN and Compute Settings. These are identified based on the detector recipe
you had associated.

18. Click on any problem identified; for example, the below screenshot is for the problem
“Instance has a Public IP.”

19. Scroll down the page to see the sections under Resources for problem history and
responder activity.

20. As per the problem details, you have the option to remediate (if there are any responder
suggestions) or mark it as resolved or dismiss the problem.

Copyright © 2021, Oracle and/or its affiliates.

Practices for Lesson: Cloud Security Posture Management 117

21. Note: In order to remediate, Cloud Guard will need permissions to do actions on your
behalf for that resource.

22. If you choose Mark as Resolved, then you can type a comment to have a log of why you
marked it as resolved.

Copyright © 2021, Oracle and/or its affiliates.

118 Practices for Lesson: Cloud Security Posture Management

23. If you choose Dismiss, you can add a comment on why dismissed it.

24. Similarly, look into other problems reported, related to VCN and other resources.

This completes the task of enabling a target compartment in Cloud Guard and explore the
features.

Copyright © 2021, Oracle and/or its affiliates.

Practices for Lesson: Cloud Security Posture Management 119

Practice: Use Security Zones

Tasks

1. Log in to OCI with the credentials provided. Click Menu > Identity & Security > Security
Zones.

Copyright © 2021, Oracle and/or its affiliates.

120 Practices for Lesson: Cloud Security Posture Management

2. In the Security Zones page, click Recipes on the left side.

3. As of the time this content was created, there are no custom recipes. The tenant has to use
only the Oracle provided recipe.

4. Click the Recipe – Maximum Security Recipe to see the details.

Copyright © 2021, Oracle and/or its affiliates.

Practices for Lesson: Cloud Security Posture Management 121

5. Various policies are listed, which you can look into. Notice in the list of policies there are
policies that Deny Internet Gateway, Public Buckets, etc. (Use the navigation at the bottom
right side to go to next pages and view the policies.)

6. Use the breadcrumb on the top and click Security Zones to go to the home page of security
zones.

7. When you create a security zone, you are creating a compartment that will comply by the
Security Zone recipe.

Copyright © 2021, Oracle and/or its affiliates.

122 Practices for Lesson: Cloud Security Posture Management

8. Click Create Security Zone. In the pop-up window, enter the following details:

Name – <YourComp>_SZ
Description – Meaningful description
Create in Compartment – Choose the compartment assigned to you

9. Click Create Security Zone. OCI will create a compartment with the name within the
compartment you have chosen. This will take a while to reflect as IAM components created
will have to be refreshed.

10. Once you create the security zone, it is listed on the Security Zones page.

11. With security zones, the compartment that is protected by the security zone will deny all
these. You can test it with the following two examples.

Copyright © 2021, Oracle and/or its affiliates.

Practices for Lesson: Cloud Security Posture Management 123

12. First, you will create a bucket and make it public. Go to Object Storage and create a bucket
as shown below.

13. Go to Object Storage – Object Storage using the menu.

14. Notice that there is a compartment created with the security zone name as a child to your
compartment.

15. Choose the child compartment created as part of the security zone and click Create Bucket.

Copyright © 2021, Oracle and/or its affiliates.

124 Practices for Lesson: Cloud Security Posture Management

16. Give the following details and create the bucket.

Bucket Name – <YourCompSZ>_Bucket

Default Storage Tier – Standard

Accept defaults for the other options.

17. Click Create.

18. You will get an error that you must assign a master encryption key from your own vault.

19. In the Bucket creation page, choose the option Encrypt using Customer-Managed keys
under Encryption.

Copyright © 2021, Oracle and/or its affiliates.

Practices for Lesson: Cloud Security Posture Management 125

20. In the vault, choose Change Compartment, and choose the compartment in which you
created the vault in an earlier practice and choose the vault you created. Similarly, change
the compartment for master encryption key and choose a master encryption key you
created. The Encryption section should look similar to the screenshot given below.

21. Click Create to create the bucket.

22. Now the bucket will be created. Similarly, various other settings can be explored.

23. Another example is to create a VCN with the wizard with Internet connectivity.

24. Such a VCN gets various components including a public subnet and Internet Gateway,
which are disallowed in a security zone.

Copyright © 2021, Oracle and/or its affiliates.

126 Practices for Lesson: Cloud Security Posture Management

25. Use the menu and navigate to Networking -> Virtual Cloud Networks.

26. In the List Scope section on the left side, choose the compartment of the security zone.

Copyright © 2021, Oracle and/or its affiliates.

Practices for Lesson: Cloud Security Posture Management 127

27. Click Start VCN Wizard. Choose VCN with Internet connectivity.

Copyright © 2021, Oracle and/or its affiliates.

128 Practices for Lesson: Cloud Security Posture Management

28. Give a meaningful name to the VCN and ensure the compartment is the security zone
compartment.

29. Accept the defaults and click Next.

30. On the Summary page, click Create.

Copyright © 2021, Oracle and/or its affiliates.

Practices for Lesson: Cloud Security Posture Management 129

31. Observe that various components are created, but public subnet and Internet Gateway are
not created as they violate the security zone policies.

32. Even if you retry, they will not be created. The security zone will not allow. Click Close to
explore the VCN created.

33. Click the link on the name of the VCN to see the components created as part of the wizard-
based VCN creation.

Copyright © 2021, Oracle and/or its affiliates.

130 Practices for Lesson: Cloud Security Posture Management

34. The VCN is created without the public subnet and Internet Gateway.

35. When you use security zones, you are proactively restricting what can be used within OCI;
thus, the compartment is having the best practices of Security Implemented.

36. If you are interested, you can also try out integrating Cloud Guard with OCI Events and
Notification services (which you learned in a previous lesson).

Copyright © 2021, Oracle and/or its affiliates.

Practices for Lesson: Cloud Security Posture Management 131

 Copyright © 2021, Oracle and/or its affiliates.

132 Practices for Lesson: Cloud Security Posture Management