Files
oci-deal-accelerator/kb/well-architected/security-compliance.yaml
2026-03-18 18:03:44 -03:00

325 lines
12 KiB
YAML

# OCI Well-Architected Framework — Pillar 1: Security and Compliance
# Source: https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-security-and-compliance1.html
pillar:
name: "Security and Compliance"
id: security_compliance
wa_reference: "https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-security-and-compliance1.html"
reference: "https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-security-and-compliance1.html"
categories:
- name: "Identity & Access"
id: identity_access
checks:
- id: SEC-IAM-001
name: "Least-privilege IAM policies"
description: "IAM policies follow least-privilege (not using broad 'manage all-resources')"
auto_detect:
pass_if: "architecture specifies granular IAM policies per compartment/service"
gap_if: "no IAM policy strategy defined or broad permissions used"
severity: HIGH
applies_when: always
- id: SEC-IAM-002
name: "MFA for human users"
description: "MFA enabled for all human users"
auto_detect:
pass_if: "MFA is specified in identity configuration"
gap_if: "no MFA mentioned in identity setup"
severity: HIGH
applies_when: always
- id: SEC-IAM-003
name: "Tenancy admin restricted"
description: "Tenancy admin account NOT used for day-to-day operations"
auto_detect:
pass_if: "separate admin groups defined for operations"
gap_if: "no mention of admin account restrictions"
severity: HIGH
applies_when: always
- id: SEC-IAM-004
name: "Instance/resource principals"
description: "Service accounts use instance principals or resource principals, not stored credentials"
auto_detect:
pass_if: "instance principals or resource principals specified for service-to-service auth"
gap_if: "stored credentials or API keys used for service accounts"
severity: HIGH
applies_when: always
- id: SEC-IAM-005
name: "Multiple Identity Domains"
description: "Multiple Identity Domains if multi-tenant or multi-environment"
auto_detect:
pass_if: "multiple identity domains defined"
gap_if: "single identity domain for multi-tenant setup"
severity: MEDIUM
applies_when: "multi_tenant or multi_environment"
- id: SEC-IAM-006
name: "IdP Federation"
description: "Federation configured with customer's IdP (AD, Okta, SAML)"
auto_detect:
pass_if: "federation with external IdP configured"
gap_if: "no IdP federation mentioned when enterprise customer"
severity: MEDIUM
applies_when: "enterprise_customer"
- name: "Resource Isolation"
id: resource_isolation
checks:
- id: SEC-ISO-001
name: "Compartment organization"
description: "Compartments organized by workload/environment (not flat)"
auto_detect:
pass_if: "hierarchical compartment structure defined"
gap_if: "flat compartment structure or no compartment strategy"
severity: HIGH
applies_when: always
- id: SEC-ISO-002
name: "Tagging strategy"
description: "Tags defined for cost tracking, environment, owner"
auto_detect:
pass_if: "defined tag namespaces with cost, environment, and owner tags"
gap_if: "no tagging strategy defined"
severity: MEDIUM
applies_when: always
- id: SEC-ISO-003
name: "Security Zones"
description: "Security Zones enabled for production compartments"
auto_detect:
pass_if: "Security Zones configured for production compartments"
gap_if: "no Security Zones for production workloads"
severity: MEDIUM
applies_when: "has_production_workloads"
- id: SEC-ISO-004
name: "Resource principal for cross-resource access"
description: "Cross-resource access uses resource principals, not user credentials"
auto_detect:
pass_if: "resource principals used for cross-service access"
gap_if: "user credentials used for cross-resource access"
severity: HIGH
applies_when: always
- name: "Database Security"
id: database_security
checks:
- id: SEC-DB-001
name: "Databases in private subnets"
description: "Databases in private subnets only"
auto_detect:
pass_if: "all database services placed in private subnets"
gap_if: "any database accessible from public subnet"
severity: HIGH
applies_when: "has_databases"
- id: SEC-DB-002
name: "TDE with customer-managed keys"
description: "TDE enabled with customer-managed keys (OCI Vault)"
auto_detect:
pass_if: "TDE with OCI Vault customer-managed keys specified"
gap_if: "Oracle-managed keys or no encryption key management specified"
severity: HIGH
applies_when: "has_databases"
- id: SEC-DB-003
name: "Key rotation policy"
description: "Key rotation < 90 days"
auto_detect:
pass_if: "key rotation policy defined with < 90 day interval"
gap_if: "no key rotation policy or > 90 day interval"
severity: MEDIUM
applies_when: "has_databases"
- id: SEC-DB-004
name: "Data Safe enabled"
description: "Data Safe enabled (audit, masking, VPD assessment)"
auto_detect:
pass_if: "Data Safe configured for database security assessment"
gap_if: "Data Safe not included in architecture"
severity: MEDIUM
applies_when: "has_databases"
- id: SEC-DB-005
name: "Private endpoints for ADB"
description: "Private endpoints for Autonomous Database"
auto_detect:
pass_if: "Autonomous Database configured with private endpoints"
gap_if: "Autonomous Database using public endpoints"
severity: HIGH
applies_when: "has_autonomous_database"
- id: SEC-DB-006
name: "Restricted DELETE permissions"
description: "DELETE permissions restricted to minimal users/groups"
auto_detect:
pass_if: "explicit restriction on DELETE permissions documented"
gap_if: "no mention of DELETE permission restrictions"
severity: MEDIUM
applies_when: "has_databases"
- id: SEC-DB-007
name: "Database security patches"
description: "Database security patches applied (CPU/PSU)"
auto_detect:
pass_if: "patching strategy defined for databases"
gap_if: "no database patching strategy"
severity: HIGH
applies_when: "has_databases"
- name: "Data Protection"
id: data_protection
checks:
- id: SEC-DAT-001
name: "Encryption at rest"
description: "Encryption at rest for all storage (Block, File, Object)"
auto_detect:
pass_if: "encryption at rest specified for all storage services"
gap_if: "any storage service without encryption at rest"
severity: HIGH
applies_when: always
- id: SEC-DAT-002
name: "OCI Vault key management"
description: "Keys managed in OCI Vault (not Oracle-managed)"
auto_detect:
pass_if: "OCI Vault specified for key management"
gap_if: "using Oracle-managed keys or no key management strategy"
severity: MEDIUM
applies_when: always
- id: SEC-DAT-003
name: "No public Object Storage"
description: "Object Storage buckets not publicly accessible"
auto_detect:
pass_if: "Object Storage buckets configured as private"
gap_if: "any Object Storage bucket publicly accessible without justification"
severity: HIGH
applies_when: "has_object_storage"
- id: SEC-DAT-004
name: "Retention rules"
description: "Retention rules on critical buckets"
auto_detect:
pass_if: "retention rules configured for critical data buckets"
gap_if: "no retention rules on critical data"
severity: MEDIUM
applies_when: "has_critical_data_in_object_storage"
- name: "Network Security"
id: network_security
checks:
- id: SEC-NET-001
name: "NSGs over Security Lists"
description: "NSGs preferred over Security Lists for fine-grained control"
auto_detect:
pass_if: "NSGs used as primary network security mechanism"
gap_if: "only Security Lists used without NSGs"
severity: MEDIUM
applies_when: always
- id: SEC-NET-002
name: "No default SSH from anywhere"
description: "Default security list modified (no SSH from 0.0.0.0/0)"
auto_detect:
pass_if: "SSH access restricted to specific CIDR ranges or bastion"
gap_if: "SSH open to 0.0.0.0/0"
severity: HIGH
applies_when: always
- id: SEC-NET-003
name: "WAF on internet-facing endpoints"
description: "WAF on all internet-facing endpoints"
auto_detect:
pass_if: "WAF configured for all internet-facing services"
gap_if: "internet-facing endpoints without WAF"
severity: HIGH
applies_when: "has_internet_facing_services"
- id: SEC-NET-004
name: "Service Gateway"
description: "Service Gateway for OCI service access (no internet traversal)"
auto_detect:
pass_if: "Service Gateway configured in VCN"
gap_if: "OCI services accessed via internet gateway"
severity: MEDIUM
applies_when: always
- id: SEC-NET-005
name: "Network Firewall"
description: "Network Firewall for hub VCN if required"
auto_detect:
pass_if: "Network Firewall deployed in hub VCN"
gap_if: "no Network Firewall in hub-spoke topology requiring deep packet inspection"
severity: LOW
applies_when: "hub_spoke_topology"
- id: SEC-NET-006
name: "TLS on Load Balancers"
description: "Load Balancers with TLS termination"
auto_detect:
pass_if: "TLS termination configured on load balancers"
gap_if: "load balancers without TLS"
severity: HIGH
applies_when: "has_load_balancers"
- id: SEC-NET-007
name: "Zero Trust Packet Routing"
description: "Zero Trust Packet Routing considered for sensitive workloads"
auto_detect:
pass_if: "ZTPR evaluated or configured"
gap_if: "ZTPR not considered for sensitive workloads"
severity: LOW
applies_when: "has_sensitive_workloads"
- name: "Monitoring & Audit"
id: monitoring_audit
checks:
- id: SEC-MON-001
name: "Cloud Guard enabled"
description: "Cloud Guard enabled with detector and responder recipes"
auto_detect:
pass_if: "Cloud Guard configured with appropriate recipes"
gap_if: "Cloud Guard not included in architecture"
severity: HIGH
applies_when: always
- id: SEC-MON-002
name: "OCI Audit enabled"
description: "OCI Audit service enabled"
auto_detect:
pass_if: "Audit service enabled (enabled by default, verify retention)"
gap_if: "audit service not mentioned or retention not configured"
severity: MEDIUM
applies_when: always
- id: SEC-MON-003
name: "VCN Flow Logs"
description: "VCN Flow Logs enabled"
auto_detect:
pass_if: "VCN Flow Logs enabled for critical subnets"
gap_if: "no VCN Flow Logs configured"
severity: MEDIUM
applies_when: always
- id: SEC-MON-004
name: "Vulnerability Scanning"
description: "Vulnerability Scanning enabled"
auto_detect:
pass_if: "OCI Vulnerability Scanning configured for compute instances"
gap_if: "no vulnerability scanning in architecture"
severity: MEDIUM
applies_when: "has_compute_instances"
- id: SEC-MON-005
name: "SIEM integration"
description: "Logs aggregated to SIEM if enterprise requirement"
auto_detect:
pass_if: "SIEM integration configured or Logging Analytics used"
gap_if: "no centralized log aggregation for enterprise workload"
severity: MEDIUM
applies_when: "enterprise_customer"