initial version
This commit is contained in:
64
kb/patterns/security-baseline/cis-baseline.yaml
Normal file
64
kb/patterns/security-baseline/cis-baseline.yaml
Normal file
@@ -0,0 +1,64 @@
|
||||
# Pattern: CIS Security Baseline
|
||||
# Composable architecture block for security foundation
|
||||
|
||||
pattern:
|
||||
name: "CIS OCI Security Baseline"
|
||||
id: cis_baseline
|
||||
category: security
|
||||
|
||||
description: |
|
||||
Security baseline aligned with CIS Oracle Cloud Infrastructure Foundations
|
||||
Benchmark. Provides IAM, network, encryption, monitoring, and governance
|
||||
controls as a foundation for all OCI deployments.
|
||||
|
||||
always_include: true
|
||||
applies_to: "all_workloads"
|
||||
|
||||
controls:
|
||||
identity:
|
||||
- "Least-privilege IAM policies per compartment"
|
||||
- "MFA for all human users"
|
||||
- "Break-glass admin account (not used for daily ops)"
|
||||
- "Instance principals for service-to-service auth"
|
||||
- "Federation with customer IdP (AD, Okta, SAML)"
|
||||
- "No API keys stored in code or config files"
|
||||
|
||||
compartments:
|
||||
- "Hierarchical compartment structure by workload/environment"
|
||||
- "Network, Security, AppDev, Database compartments at minimum"
|
||||
- "Defined tags for cost tracking, environment, owner"
|
||||
|
||||
networking:
|
||||
- "NSGs preferred over Security Lists"
|
||||
- "No SSH from 0.0.0.0/0 — use Bastion Service"
|
||||
- "Service Gateway for OCI service access"
|
||||
- "VCN Flow Logs enabled"
|
||||
- "WAF on all internet-facing endpoints"
|
||||
|
||||
encryption:
|
||||
- "OCI Vault for customer-managed keys"
|
||||
- "TDE with customer-managed keys for databases"
|
||||
- "Encryption at rest for all storage services"
|
||||
- "TLS on all load balancers"
|
||||
|
||||
monitoring:
|
||||
- "Cloud Guard enabled with detector recipes"
|
||||
- "OCI Audit with 365-day retention"
|
||||
- "Vulnerability Scanning for compute instances"
|
||||
- "Security Zones for production compartments"
|
||||
|
||||
governance:
|
||||
- "Budgets and cost alerts per compartment"
|
||||
- "Notification topics for security events"
|
||||
- "Tagging enforcement via tag defaults"
|
||||
|
||||
implied_services:
|
||||
- cloud_guard
|
||||
- oci_vault
|
||||
- bastion
|
||||
- vulnerability_scanning
|
||||
- notifications
|
||||
|
||||
references:
|
||||
- "https://www.cisecurity.org/benchmark/oracle_cloud"
|
||||
- "https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart"
|
||||
96
kb/patterns/security-baseline/pattern.yaml
Normal file
96
kb/patterns/security-baseline/pattern.yaml
Normal file
@@ -0,0 +1,96 @@
|
||||
---
|
||||
last_verified: 2026-03-14
|
||||
pattern: Security Baseline
|
||||
category: security
|
||||
---
|
||||
|
||||
description: |
|
||||
Minimum security configuration for any OCI deployment. Covers IAM,
|
||||
networking, encryption, monitoring, and compliance foundations.
|
||||
|
||||
layers:
|
||||
identity:
|
||||
name: "Identity & Access Management"
|
||||
requirements:
|
||||
- item: "MFA for all users"
|
||||
implementation: "Enable MFA in IAM, enforce via policy"
|
||||
priority: critical
|
||||
- item: "Least-privilege policies"
|
||||
implementation: "Use compartments + IAM policies, avoid broad allow statements"
|
||||
priority: critical
|
||||
- item: "No API keys for production"
|
||||
implementation: "Use instance principals or resource principals"
|
||||
priority: high
|
||||
- item: "Federated identity"
|
||||
implementation: "SAML/OIDC federation with corporate IdP"
|
||||
priority: high
|
||||
- item: "Break-glass procedure"
|
||||
implementation: "Documented emergency access with MFA-protected tenancy admin"
|
||||
priority: high
|
||||
|
||||
network:
|
||||
name: "Network Security"
|
||||
requirements:
|
||||
- item: "Private subnets for all workloads"
|
||||
implementation: "Only load balancers and bastion in public subnets"
|
||||
priority: critical
|
||||
- item: "NSGs over security lists"
|
||||
implementation: "Granular VNIC-level firewall rules"
|
||||
priority: high
|
||||
- item: "Service Gateway for OCI services"
|
||||
implementation: "Private path to Object Storage, ADB, etc."
|
||||
priority: high
|
||||
- item: "WAF for public-facing applications"
|
||||
implementation: "OCI WAF with OWASP rule sets"
|
||||
priority: high
|
||||
- item: "No public IPs on databases"
|
||||
implementation: "Use private endpoints, Bastion for admin access"
|
||||
priority: critical
|
||||
|
||||
encryption:
|
||||
name: "Encryption"
|
||||
requirements:
|
||||
- item: "Encryption at rest (default)"
|
||||
implementation: "OCI encrypts all data at rest by default (Oracle-managed keys)"
|
||||
priority: critical
|
||||
- item: "Customer-managed keys for sensitive data"
|
||||
implementation: "OCI Vault with HSM-backed keys"
|
||||
priority: high
|
||||
- item: "TLS 1.2+ for all connections"
|
||||
implementation: "Enforce in load balancer, database, API configurations"
|
||||
priority: critical
|
||||
- item: "TDE for databases"
|
||||
implementation: "Enabled by default on ADB, configure on DBCS/ExaCS"
|
||||
priority: critical
|
||||
|
||||
monitoring:
|
||||
name: "Monitoring & Audit"
|
||||
requirements:
|
||||
- item: "Audit logging enabled"
|
||||
implementation: "OCI Audit service (enabled by default, 365-day retention)"
|
||||
priority: critical
|
||||
- item: "Cloud Guard enabled"
|
||||
implementation: "Detect misconfigurations and threats"
|
||||
priority: high
|
||||
- item: "VCN Flow Logs"
|
||||
implementation: "Enable on critical subnets for network forensics"
|
||||
priority: medium
|
||||
- item: "Alarms for security events"
|
||||
implementation: "Monitoring alarms + Notifications for critical events"
|
||||
priority: high
|
||||
- item: "Data Safe for databases"
|
||||
implementation: "Security assessment, user assessment, data masking"
|
||||
priority: high
|
||||
|
||||
compute:
|
||||
name: "Compute Security"
|
||||
requirements:
|
||||
- item: "OS Management for patching"
|
||||
implementation: "OCI OS Management service for automated patching"
|
||||
priority: high
|
||||
- item: "Bastion service for SSH"
|
||||
implementation: "No direct SSH from internet, use OCI Bastion"
|
||||
priority: critical
|
||||
- item: "Instance metadata v2"
|
||||
implementation: "Disable v1 to prevent SSRF attacks"
|
||||
priority: high
|
||||
Reference in New Issue
Block a user