OCI: Control Permissions
The following lists describe the permissions required for controls of Oracle Cloud Infrastructure (OCI). Enable these permissions to ensure you can view these controls in the policy tab.
| CID | Control Name | Permissions |
|---|---|---|
| 40001 | Ensure Secure Boot is enabled on Compute Instance | Allow group [group-name] to read instances in Tenancy |
| 40002 | Ensure Compute Instance boot volume has in-transit data encryption is Enabled | Allow group [group-name] to read instances in Tenancy |
| 40003 | Ensure no Object Storage buckets are publicly visible | Allow group [group-name] to read object-family in Tenancy |
| 40004 | Ensure Versioning is Enabled for Object Storage Buckets | Allow group [group-name] to read object-family in Tenancy |
| 40005 | Ensure Emit Object Events is Enabled for Object Storage Buckets | Allow group [group-name] to read object-family in Tenancy |
| 40006 | Ensure Bucket Pre-Authenticated Request allows Read Only Access | Allow group [group-name] to read object-family in Tenancy |
| 40007 | Ensure Bucket does not persists Expired Pre-Authenticated Request | Allow group [group-name] to read object-family in Tenancy |
| 40008 | Ensure Object Storage Buckets are encrypted with a Customer Managed Key CMK | Allow group [group-name] to read object-family in Tenancy |
| 40009 | Ensure no Object Storage buckets are left Untagged | Allow group [group-name] to read object-family in Tenancy |
| 40010 | Ensures password policy requires at least one lowercase letter | Allow group [group-name] to read authentication-policies in Tenancy |
| 40011 | Ensures password policy requires at least one uppercase letter | Allow group [group-name] to read authentication-policies in Tenancy |
| 40012 | Ensures password policy requires at least one numeric | Allow group [group-name] to read authentication-policies in Tenancy |
| 40013 | Ensures password policy requires at least one Special Character | Allow group [group-name] to read authentication-policies in Tenancy |
| 40014 | Ensure no security lists allow ingress from 0.0.0.0/0 or ::/0 to port 22 | Allow group [group-name] to read virtual-network-family in Tenancy |
| 40015 | Ensure no security lists allow ingress from 0.0.0.0/0 or ::/0 to port 3389 | Allow group [group-name] to read virtual-network-family in Tenancy |
| 40016 | Ensure the default security list of every VCN restricts all traffic except ICMP | Allow group [group-name] to read virtual-network-family in Tenancy |
| 40017 | Ensure MFA is enabled for all users with a console password | Allow group [group-name] to read users in Tenancy |
| 40018 | Ensure user API keys rotate within 90 days or less | Allow group [group-name] to read users in Tenancy |
| 40019 | Ensure user Customer Secret keys rotate within 90 days or less | Allow group [group-name] to read users in Tenancy |
| 40020 | Ensure user Auth Tokens rotate within 90 days or less | Allow group [group-name] to read users in Tenancy |
| 40021 | Ensure no network security groups allow ingress from 0.0.0.0/0 or ::/0 to port 22 | Allow group [group-name] to read virtual-network-family in Tenancy Allow group [group-name] to read network-security-groups in tenancy |
| 40022 | Ensure no network security groups allow ingress from 0.0.0.0/0 or ::/0 to port 3389 | Allow group [group-name] to read virtual-network-family in Tenancy Allow group [group-name] to read network-security-groups in tenancy |
| 40023 | Ensure API keys are not created for tenancy administrator users | Allow group [group-name] to read users in Tenancy Allow group [group-name] to read group-memberships in Tenancy Allow group [group-name] to read groups in Tenancy |
| 40024 | Ensure permissions on all resources are given only to the tenancy administrator group | Allow group [group-name] to read policies in Tenancy Allow group [group-name] to read groups in Tenancy Allow group [group-name] to read group-memberships in Tenancy |
| 40025 | Ensure IAM administrators cannot update tenancy Administrators group | Allow group [group-name] to read groups in Tenancy Allow group [group-name] to read group-memberships in Tenancy Allow group [group-name] to read policies in Tenancy |
| 40026 | Ensure IAM password policy requires minimum length of 14 or greater | Allow group [group-name] to read authentication-policies in Tenancy |
| 40027 | Ensure default tags are used on resources | Allow group [group-name] to read tag-namespaces in Tenancy Allow group [group-name] to read tag-defaults in Tenancy |
| 40028 | Ensure at least one notification topic and subscription exists to receive monitoring alerts | Allow group [group-name] to read ons-family in Tenancy |
| 40029 | Ensure a Event Rule is configured for Identity Provider changes | Allow group [group-name] to read cloudevents-rules in Tenancy |
| 40030 | Ensure a Event Rule is configured for IdP group mapping changes | Allow group [group-name] to read cloudevents-rules in Tenancy |
| 40031 | Ensure a Event Rule is configured for IAM group changes | Allow group [group-name] to read cloudevents-rules in Tenancy |
| 40032 | Ensure a Event Rule is configured for IAM policy changes | Allow group [group-name] to read cloudevents-rules in Tenancy |
| 40033 | Ensure a Event Rule is configured for user changes | Allow group [group-name] to read cloudevents-rules in Tenancy |
| 40034 | Ensure a Event Rule is configured for VCN changes | Allow group [group-name] to read cloudevents-rules in Tenancy |
| 40035 | Ensure a Event Rule is configured for changes to route tables | Allow group [group-name] to read cloudevents-rules in Tenancy |
| 40036 | Ensure a Event Rule is configured for security list changes | Allow group [group-name] to read cloudevents-rules in Tenancy |
| 40037 | Ensure a Event Rule is configured for network security group changes | Allow group [group-name] to read cloudevents-rules in Tenancy |
| 40038 | Ensure a Event Rule is configured for changes to network gateways | Allow group [group-name] to read cloudevents-rules in Tenancy |
| 40040 | Ensure Cloud Guard is enabled in the root compartment of the tenancy | Allow group [group-name] to read cloud-guard-config in Tenancy |
| 40041 | Ensure a Event Rule is configured for Oracle Cloud Guard problems detected | Allow group [group-name] to read cloudevents-rules in Tenancy |
| 40042 | Ensure customer created Customer Managed Key (CMK) is rotated at least annually | Allow group [group-name] to read vaults in Tenancy Allow group [group-name] to read keys in Tenancy |
| 40044 | Ensure Block Volumes are encrypted with Customer Managed Keys (CMK) | Allow group [group-name] to read volumes in Tenancy Allow group [group-name] to read keys in Tenancy |
| 40045 | Ensure boot volumes are encrypted with Customer Managed Key (CMK) | Allow group [group-name] to read boot-volumes in Tenancy Allow group [group-name] to read keys in Tenancy |
| 40046 | Ensure File Storage Systems are encrypted with Customer Managed Keys (CMK) | Allow group [group-name] to read file-systems in Tenancy Allow group [group-name] to read keys in Tenancy |
| 40047 | Ensure at least one compartment exists in your tenancy to store cloud resources | Allow group [group-name] to read compartments in Tenancy |
| 40049 | Ensure Compute Instance Legacy Metadata service endpoint is disabled | Allow group [group-name] to read instances in Tenancy |
| 40051 | Ensure that the Block Volume Backup is encrypted using customer-managed key | Allow group [group-name] to read volume-backups in Tenancy Allow group [group-name] to read keys in Tenancy |
| 40052 | Ensure that the NSG is attached to Mount Targets to prevent unauthorized access to File Systems | Allow group [group-name] to read file-systems in Tenancy Allow group [group-name] to read mount-targets in Tenancy Allow group [group-name] to read network-security-groups in Tenancy |
| 40053 | Ensure that Functions Application maintains secure access through configuration of Network Security Groups (NSGs) | Allow group [group-name] to read fn-app in Tenancy Allow group [group-name] to read network-security-groups in Tenancy |
| 40054 | Ensure that Network Security Groups (NSGs) are enabled for API Gateway | Allow group [group-name] to read api-gateway-family in Tenancy Allow group [group-name] to read network-security-groups in Tenancy |
| 40055 | Ensure Delete Protection is enabled for Loadbalancers | Allow group [group-name] to read load-balancers in Tenancy |
| 40057 | Ensure Autonomous Database is encrypted using customer-managed key | Allow group [group-name] to read autonomous-database-family in Tenancy Allow group [group-name] to read keys in Tenancy |
| 40058 | Ensure Autonomous Database does not allow secure access from everywhere | Allow group [group-name] to read autonomous-database-family in Tenancy |
| 40059 | Ensure Autonomous Database has Mutual TLS authentication as Required | Allow group [group-name] to read autonomous-database-family in Tenancy |
| 40060 | Ensure DB Systems Network Security Groups are configured to restrict access to and from the database | Allow group [group-name] to read db-systems in Tenancy Allow group [group-name] to read network-security-groups in Tenancy |
| 40061 | Ensure DB Systems Database is encrypted using customer-managed key | Allow group [group-name] to read db-systems in Tenancy Allow group [group-name] to read keys in Tenancy |
| 40062 | Ensure Big Data Service cluster is encrypted using customer-managed key | Allow group [group-name] to read bds-instances in Tenancy Allow group [group-name] to read keys in Tenancy |
| 40063 | Ensure Data Flow application is configured to capture application logs | Allow group [group-name] to read dataflow-applications in Tenancy |
| 40064 | Ensure Load balancer should not have Public IP | Allow group [group-name] to read load-balancers in Tenancy |
| 40065 | Ensure Load balancer has reserved Public IP | Allow group [group-name] to read load-balancers in Tenancy Allow group [group-name] to read public-ips in Tenancy |
| 40066 | Ensure secret auto rotation should be enabled | Allow group [group-name] to read vaults in Tenancy Allow group [group-name] to read secrets in Tenancy |
| 40067 | Ensure secret reuse rule should be configured | Allow group [group-name] to read vaults in Tenancy Allow group [group-name] to read secrets in Tenancy |
| 40068 | Ensure secret expiry rule should be configured | Allow group [group-name] to read vaults in Tenancy Allow group [group-name] to read secrets in Tenancy |
| 40069 | Ensure secret expiry rule should block use of content retrieval after the reuse | Allow group [group-name] to read vaults in Tenancy Allow group [group-name] to read secrets in Tenancy |
| 40070 | Ensure Network security group is used for controlling traffic in load balancer | Allow group [group-name] to read load-balancers in Tenancy Allow group [group-name] to read network-security-groups in Tenancy |
| 40073 | Ensure OCI Block Storage Block Volume backup policy is enabled | Allow group [group-name] to read volumes in Tenancy Allow group [group-name] to read volume-backup-policies in Tenancy |
| 40074 | Ensure block volume cross region replication is enabled | Allow group [group-name] to read volumes in Tenancy Allow group [group-name] to read volume-group-replicas in Tenancy |
| 40075 | Ensure snapshot policy is attached to the file system | Allow group [group-name] to read file-systems in Tenancy Allow group [group-name] to read file-system-snapshot-policies in Tenancy |
| 40078 | Ensure Kubernetes Engine Cluster endpoint is configured with Network Security Group | Allow group [group-name] to read clusters in Tenancy Allow group [group-name] to read network-security-groups in Tenancy |
| 40080 | Ensure Kubernetes API endpoint should be private | Allow group [group-name] to read clusters in Tenancy |
| 40081 | Ensure Kubernetes version should be latest | Allow group [group-name] to read clusters in Tenancy |
| 40082 | Ensure Container Repository is private | Allow group [group-name] to read repos in Tenancy |
| 40083 | Ensure Container Registry Readme should not be blank | Allow group [group-name] to read repos in Tenancy |
| 40084 | Ensure Cloud Advisor is enabled in the root compartment of the tenancy | Allow group [group-name] to read optimizer-profiles in Tenancy |
| 40085 | Ensure Run Log should be enabled for the Connector | Allow group [group-name] to read serviceconnectors in Tenancy |
| 40086 | Ensure Run log retention period should be more than 90 days | Allow group [group-name] to read serviceconnectors in Tenancy |
| 40087 | Ensure network security groups is stateless | Allow group [group-name] to read network-security-groups in Tenancy |
| 40088 | Ensure no policies have manage-all resources permission in a compartment | Allow group [group-name] to read policies in Tenancy |
| 40089 | Ensure Compute Instances are configured with required tags | Allow group [group-name] to read instances in Tenancy Allow group [group-name] to read tag-namespaces in Tenancy |
| 40090 | Ensure only required Compute Instances have been assigned with Public IP | Allow group [group-name] to read instances in Tenancy Allow group [group-name] to read public-ips in Tenancy |
| 40091 | Ensure a notification is configured for Local OCI User Authentication | Allow group [group-name] to read cloudevents-rules in Tenancy Allow group [group-name] to read ons-family in Tenancy |
| 40092 | Ensure there is only one active API Key for any single OCI IAM user | Allow group [group-name] to read users in Tenancy Allow group [group-name] to read user-credentials in Tenancy |