forked from diegoecab/oci-deal-accelerator
325 lines
12 KiB
YAML
325 lines
12 KiB
YAML
# OCI Well-Architected Framework — Pillar 1: Security and Compliance
|
|
# Source: https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-security-and-compliance1.html
|
|
|
|
pillar:
|
|
name: "Security and Compliance"
|
|
id: security_compliance
|
|
wa_reference: "https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-security-and-compliance1.html"
|
|
reference: "https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-security-and-compliance1.html"
|
|
|
|
categories:
|
|
- name: "Identity & Access"
|
|
id: identity_access
|
|
checks:
|
|
- id: SEC-IAM-001
|
|
name: "Least-privilege IAM policies"
|
|
description: "IAM policies follow least-privilege (not using broad 'manage all-resources')"
|
|
auto_detect:
|
|
pass_if: "architecture specifies granular IAM policies per compartment/service"
|
|
gap_if: "no IAM policy strategy defined or broad permissions used"
|
|
severity: HIGH
|
|
applies_when: always
|
|
|
|
- id: SEC-IAM-002
|
|
name: "MFA for human users"
|
|
description: "MFA enabled for all human users"
|
|
auto_detect:
|
|
pass_if: "MFA is specified in identity configuration"
|
|
gap_if: "no MFA mentioned in identity setup"
|
|
severity: HIGH
|
|
applies_when: always
|
|
|
|
- id: SEC-IAM-003
|
|
name: "Tenancy admin restricted"
|
|
description: "Tenancy admin account NOT used for day-to-day operations"
|
|
auto_detect:
|
|
pass_if: "separate admin groups defined for operations"
|
|
gap_if: "no mention of admin account restrictions"
|
|
severity: HIGH
|
|
applies_when: always
|
|
|
|
- id: SEC-IAM-004
|
|
name: "Instance/resource principals"
|
|
description: "Service accounts use instance principals or resource principals, not stored credentials"
|
|
auto_detect:
|
|
pass_if: "instance principals or resource principals specified for service-to-service auth"
|
|
gap_if: "stored credentials or API keys used for service accounts"
|
|
severity: HIGH
|
|
applies_when: always
|
|
|
|
- id: SEC-IAM-005
|
|
name: "Multiple Identity Domains"
|
|
description: "Multiple Identity Domains if multi-tenant or multi-environment"
|
|
auto_detect:
|
|
pass_if: "multiple identity domains defined"
|
|
gap_if: "single identity domain for multi-tenant setup"
|
|
severity: MEDIUM
|
|
applies_when: "multi_tenant or multi_environment"
|
|
|
|
- id: SEC-IAM-006
|
|
name: "IdP Federation"
|
|
description: "Federation configured with customer's IdP (AD, Okta, SAML)"
|
|
auto_detect:
|
|
pass_if: "federation with external IdP configured"
|
|
gap_if: "no IdP federation mentioned when enterprise customer"
|
|
severity: MEDIUM
|
|
applies_when: "enterprise_customer"
|
|
|
|
- name: "Resource Isolation"
|
|
id: resource_isolation
|
|
checks:
|
|
- id: SEC-ISO-001
|
|
name: "Compartment organization"
|
|
description: "Compartments organized by workload/environment (not flat)"
|
|
auto_detect:
|
|
pass_if: "hierarchical compartment structure defined"
|
|
gap_if: "flat compartment structure or no compartment strategy"
|
|
severity: HIGH
|
|
applies_when: always
|
|
|
|
- id: SEC-ISO-002
|
|
name: "Tagging strategy"
|
|
description: "Tags defined for cost tracking, environment, owner"
|
|
auto_detect:
|
|
pass_if: "defined tag namespaces with cost, environment, and owner tags"
|
|
gap_if: "no tagging strategy defined"
|
|
severity: MEDIUM
|
|
applies_when: always
|
|
|
|
- id: SEC-ISO-003
|
|
name: "Security Zones"
|
|
description: "Security Zones enabled for production compartments"
|
|
auto_detect:
|
|
pass_if: "Security Zones configured for production compartments"
|
|
gap_if: "no Security Zones for production workloads"
|
|
severity: MEDIUM
|
|
applies_when: "has_production_workloads"
|
|
|
|
- id: SEC-ISO-004
|
|
name: "Resource principal for cross-resource access"
|
|
description: "Cross-resource access uses resource principals, not user credentials"
|
|
auto_detect:
|
|
pass_if: "resource principals used for cross-service access"
|
|
gap_if: "user credentials used for cross-resource access"
|
|
severity: HIGH
|
|
applies_when: always
|
|
|
|
- name: "Database Security"
|
|
id: database_security
|
|
checks:
|
|
- id: SEC-DB-001
|
|
name: "Databases in private subnets"
|
|
description: "Databases in private subnets only"
|
|
auto_detect:
|
|
pass_if: "all database services placed in private subnets"
|
|
gap_if: "any database accessible from public subnet"
|
|
severity: HIGH
|
|
applies_when: "has_databases"
|
|
|
|
- id: SEC-DB-002
|
|
name: "TDE with customer-managed keys"
|
|
description: "TDE enabled with customer-managed keys (OCI Vault)"
|
|
auto_detect:
|
|
pass_if: "TDE with OCI Vault customer-managed keys specified"
|
|
gap_if: "Oracle-managed keys or no encryption key management specified"
|
|
severity: HIGH
|
|
applies_when: "has_databases"
|
|
|
|
- id: SEC-DB-003
|
|
name: "Key rotation policy"
|
|
description: "Key rotation < 90 days"
|
|
auto_detect:
|
|
pass_if: "key rotation policy defined with < 90 day interval"
|
|
gap_if: "no key rotation policy or > 90 day interval"
|
|
severity: MEDIUM
|
|
applies_when: "has_databases"
|
|
|
|
- id: SEC-DB-004
|
|
name: "Data Safe enabled"
|
|
description: "Data Safe enabled (audit, masking, VPD assessment)"
|
|
auto_detect:
|
|
pass_if: "Data Safe configured for database security assessment"
|
|
gap_if: "Data Safe not included in architecture"
|
|
severity: MEDIUM
|
|
applies_when: "has_databases"
|
|
|
|
- id: SEC-DB-005
|
|
name: "Private endpoints for ADB"
|
|
description: "Private endpoints for Autonomous Database"
|
|
auto_detect:
|
|
pass_if: "Autonomous Database configured with private endpoints"
|
|
gap_if: "Autonomous Database using public endpoints"
|
|
severity: HIGH
|
|
applies_when: "has_autonomous_database"
|
|
|
|
- id: SEC-DB-006
|
|
name: "Restricted DELETE permissions"
|
|
description: "DELETE permissions restricted to minimal users/groups"
|
|
auto_detect:
|
|
pass_if: "explicit restriction on DELETE permissions documented"
|
|
gap_if: "no mention of DELETE permission restrictions"
|
|
severity: MEDIUM
|
|
applies_when: "has_databases"
|
|
|
|
- id: SEC-DB-007
|
|
name: "Database security patches"
|
|
description: "Database security patches applied (CPU/PSU)"
|
|
auto_detect:
|
|
pass_if: "patching strategy defined for databases"
|
|
gap_if: "no database patching strategy"
|
|
severity: HIGH
|
|
applies_when: "has_databases"
|
|
|
|
- name: "Data Protection"
|
|
id: data_protection
|
|
checks:
|
|
- id: SEC-DAT-001
|
|
name: "Encryption at rest"
|
|
description: "Encryption at rest for all storage (Block, File, Object)"
|
|
auto_detect:
|
|
pass_if: "encryption at rest specified for all storage services"
|
|
gap_if: "any storage service without encryption at rest"
|
|
severity: HIGH
|
|
applies_when: always
|
|
|
|
- id: SEC-DAT-002
|
|
name: "OCI Vault key management"
|
|
description: "Keys managed in OCI Vault (not Oracle-managed)"
|
|
auto_detect:
|
|
pass_if: "OCI Vault specified for key management"
|
|
gap_if: "using Oracle-managed keys or no key management strategy"
|
|
severity: MEDIUM
|
|
applies_when: always
|
|
|
|
- id: SEC-DAT-003
|
|
name: "No public Object Storage"
|
|
description: "Object Storage buckets not publicly accessible"
|
|
auto_detect:
|
|
pass_if: "Object Storage buckets configured as private"
|
|
gap_if: "any Object Storage bucket publicly accessible without justification"
|
|
severity: HIGH
|
|
applies_when: "has_object_storage"
|
|
|
|
- id: SEC-DAT-004
|
|
name: "Retention rules"
|
|
description: "Retention rules on critical buckets"
|
|
auto_detect:
|
|
pass_if: "retention rules configured for critical data buckets"
|
|
gap_if: "no retention rules on critical data"
|
|
severity: MEDIUM
|
|
applies_when: "has_critical_data_in_object_storage"
|
|
|
|
- name: "Network Security"
|
|
id: network_security
|
|
checks:
|
|
- id: SEC-NET-001
|
|
name: "NSGs over Security Lists"
|
|
description: "NSGs preferred over Security Lists for fine-grained control"
|
|
auto_detect:
|
|
pass_if: "NSGs used as primary network security mechanism"
|
|
gap_if: "only Security Lists used without NSGs"
|
|
severity: MEDIUM
|
|
applies_when: always
|
|
|
|
- id: SEC-NET-002
|
|
name: "No default SSH from anywhere"
|
|
description: "Default security list modified (no SSH from 0.0.0.0/0)"
|
|
auto_detect:
|
|
pass_if: "SSH access restricted to specific CIDR ranges or bastion"
|
|
gap_if: "SSH open to 0.0.0.0/0"
|
|
severity: HIGH
|
|
applies_when: always
|
|
|
|
- id: SEC-NET-003
|
|
name: "WAF on internet-facing endpoints"
|
|
description: "WAF on all internet-facing endpoints"
|
|
auto_detect:
|
|
pass_if: "WAF configured for all internet-facing services"
|
|
gap_if: "internet-facing endpoints without WAF"
|
|
severity: HIGH
|
|
applies_when: "has_internet_facing_services"
|
|
|
|
- id: SEC-NET-004
|
|
name: "Service Gateway"
|
|
description: "Service Gateway for OCI service access (no internet traversal)"
|
|
auto_detect:
|
|
pass_if: "Service Gateway configured in VCN"
|
|
gap_if: "OCI services accessed via internet gateway"
|
|
severity: MEDIUM
|
|
applies_when: always
|
|
|
|
- id: SEC-NET-005
|
|
name: "Network Firewall"
|
|
description: "Network Firewall for hub VCN if required"
|
|
auto_detect:
|
|
pass_if: "Network Firewall deployed in hub VCN"
|
|
gap_if: "no Network Firewall in hub-spoke topology requiring deep packet inspection"
|
|
severity: LOW
|
|
applies_when: "hub_spoke_topology"
|
|
|
|
- id: SEC-NET-006
|
|
name: "TLS on Load Balancers"
|
|
description: "Load Balancers with TLS termination"
|
|
auto_detect:
|
|
pass_if: "TLS termination configured on load balancers"
|
|
gap_if: "load balancers without TLS"
|
|
severity: HIGH
|
|
applies_when: "has_load_balancers"
|
|
|
|
- id: SEC-NET-007
|
|
name: "Zero Trust Packet Routing"
|
|
description: "Zero Trust Packet Routing considered for sensitive workloads"
|
|
auto_detect:
|
|
pass_if: "ZTPR evaluated or configured"
|
|
gap_if: "ZTPR not considered for sensitive workloads"
|
|
severity: LOW
|
|
applies_when: "has_sensitive_workloads"
|
|
|
|
- name: "Monitoring & Audit"
|
|
id: monitoring_audit
|
|
checks:
|
|
- id: SEC-MON-001
|
|
name: "Cloud Guard enabled"
|
|
description: "Cloud Guard enabled with detector and responder recipes"
|
|
auto_detect:
|
|
pass_if: "Cloud Guard configured with appropriate recipes"
|
|
gap_if: "Cloud Guard not included in architecture"
|
|
severity: HIGH
|
|
applies_when: always
|
|
|
|
- id: SEC-MON-002
|
|
name: "OCI Audit enabled"
|
|
description: "OCI Audit service enabled"
|
|
auto_detect:
|
|
pass_if: "Audit service enabled (enabled by default, verify retention)"
|
|
gap_if: "audit service not mentioned or retention not configured"
|
|
severity: MEDIUM
|
|
applies_when: always
|
|
|
|
- id: SEC-MON-003
|
|
name: "VCN Flow Logs"
|
|
description: "VCN Flow Logs enabled"
|
|
auto_detect:
|
|
pass_if: "VCN Flow Logs enabled for critical subnets"
|
|
gap_if: "no VCN Flow Logs configured"
|
|
severity: MEDIUM
|
|
applies_when: always
|
|
|
|
- id: SEC-MON-004
|
|
name: "Vulnerability Scanning"
|
|
description: "Vulnerability Scanning enabled"
|
|
auto_detect:
|
|
pass_if: "OCI Vulnerability Scanning configured for compute instances"
|
|
gap_if: "no vulnerability scanning in architecture"
|
|
severity: MEDIUM
|
|
applies_when: "has_compute_instances"
|
|
|
|
- id: SEC-MON-005
|
|
name: "SIEM integration"
|
|
description: "Logs aggregated to SIEM if enterprise requirement"
|
|
auto_detect:
|
|
pass_if: "SIEM integration configured or Logging Analytics used"
|
|
gap_if: "no centralized log aggregation for enterprise workload"
|
|
severity: MEDIUM
|
|
applies_when: "enterprise_customer"
|