OCI: Control Permissions
The following lists describe the permissions required for controls of Oracle Cloud Infrastructure (OCI). Enable these permissions to ensure you can view these controls in the policy tab.
| CID | Control Name | Permissions |
|---|---|---|
| 40001 | Ensure Secure Boot is enabled on Compute Instance | Allow group [group-name] to read instances in Tenancy |
| 40002 | Ensure Compute Instance boot volume has in-transit data encryption is Enabled | Allow group [group-name] to read instances in Tenancy |
| 40003 | Ensure no Object Storage buckets are publicly visible | Allow group [group-name] to read object-family in Tenancy |
| 40004 | Ensure Versioning is Enabled for Object Storage Buckets | Allow group [group-name] to read object-family in Tenancy |
| 40005 | Ensure Emit Object Events is Enabled for Object Storage Buckets | Allow group [group-name] to read object-family in Tenancy |
| 40006 | Ensure Bucket Pre-Authenticated Request allows Read Only Access | Allow group [group-name] to read object-family in Tenancy |
| 40007 | Ensure Bucket does not persists Expired Pre-Authenticated Request | Allow group [group-name] to read object-family in Tenancy |
| 40008 | Ensure Object Storage Buckets are encrypted with a Customer Managed Key CMK | Allow group [group-name] to read object-family in Tenancy |
| 40009 | Ensure no Object Storage buckets are left Untagged | Allow group [group-name] to read object-family in Tenancy |
| 40010 | Ensures password policy requires at least one lowercase letter | Allow group [group-name] to read authentication-policies in Tenancy |
| 40011 | Ensures password policy requires at least one uppercase letter | Allow group [group-name] to read authentication-policies in Tenancy |
| 40012 | Ensures password policy requires at least one numeric | Allow group [group-name] to read authentication-policies in Tenancy |
| 40013 | Ensures password policy requires at least one Special Character | Allow group [group-name] to read authentication-policies in Tenancy |
| 40014 | Ensure no security lists allow ingress from 0.0.0.0/0 or ::/0 to port 22 | Allow group [group-name] to read virtual-network-family in Tenancy |
| 40015 | Ensure no security lists allow ingress from 0.0.0.0/0 or ::/0 to port 3389 | Allow group [group-name] to read virtual-network-family in Tenancy |
| 40016 | Ensure the default security list of every VCN restricts all traffic except ICMP | Allow group [group-name] to read virtual-network-family in Tenancy |
| 40017 | Ensure MFA is enabled for all users with a console password | Allow group [group-name] to read users in Tenancy |
| 40018 | Ensure user API keys rotate within 90 days or less | Allow group [group-name] to read users in Tenancy |
| 40019 | Ensure user Customer Secret keys rotate within 90 days or less | Allow group [group-name] to read users in Tenancy |
| 40020 | Ensure user Auth Tokens rotate within 90 days or less | Allow group [group-name] to read users in Tenancy |
| 40021 | Ensure no network security groups allow ingress from 0.0.0.0/0 or ::/0 to port 22 | Allow group [group-name] to read virtual-network-family in Tenancy Allow group [group-name] to read network-security-groups in tenancy |
| 40022 | Ensure no network security groups allow ingress from 0.0.0.0/0 or ::/0 to port 3389 | Allow group [group-name] to read virtual-network-family in Tenancy Allow group [group-name] to read network-security-groups in tenancy |
| 40023 | Ensure API keys are not created for tenancy administrator users | Allow group [group-name] to read users in Tenancy Allow group [group-name] to read group-memberships in Tenancy Allow group [group-name] to read groups in Tenancy |
| 40024 | Ensure permissions on all resources are given only to the tenancy administrator group | |
| 40025 | Ensure IAM administrators cannot update tenancy Administrators group | |
| 40026 | Ensure IAM password policy requires minimum length of 14 or greater | |
| 40027 | Ensure default tags are used on resources | |
| 40028 | Ensure at least one notification topic and subscription exists to receive monitoring alerts | |
| 40029 | Ensure a Event Rule is configured for Identity Provider changes | |
| 40030 | Ensure a Event Rule is configured for IdP group mapping changes | |
| 40031 | Ensure a Event Rule is configured for IAM group changes | |
| 40032 | Ensure a Event Rule is configured for IAM policy changes | |
| 40033 | Ensure a Event Rule is configured for user changes | |
| 40034 | Ensure a Event Rule is configured for VCN changes | |
| 40035 | Ensure a Event Rule is configured for changes to route tables | |
| 40036 | Ensure a Event Rule is configured for security list changes | |
| 40037 | Ensure a Event Rule is configured for network security group changes | |
| 40038 | Ensure a Event Rule is configured for changes to network gateways | |
| 40040 | Ensure Cloud Guard is enabled in the root compartment of the tenancy | |
| 40041 | Ensure a Event Rule is configured for Oracle Cloud Guard problems detected | |
| 40042 | Ensure customer created Customer Managed Key (CMK) is rotated at least annually | |
| 40044 | Ensure Block Volumes are encrypted with Customer Managed Keys (CMK) | |
| 40045 | Ensure boot volumes are encrypted with Customer Managed Key (CMK) | |
| 40046 | Ensure File Storage Systems are encrypted with Customer Managed Keys (CMK) | |
| 40047 | Ensure at least one compartment exists in your tenancy to store cloud resources | |
| 40049 | Ensure Compute Instance Legacy Metadata service endpoint is disabled | |
| 40051 | Ensure that the Block Volume Backup is encrypted using customer-managed key | |
| 40052 | Ensure that the NSG is attached to Mount Targets to prevent unauthorized access to File Systems | |
| 40053 | Ensure that Functions Application maintains secure access through configuration of Network Security Groups (NSGs) | |
| 40054 | Ensure that Network Security Groups (NSGs) are enabled for API Gateway | |
| 40055 | Ensure Delete Protection is enabled for Loadbalancers | |
| 40057 | Ensure Autonomous Database is encrypted using customer-managed key | |
| 40058 | Ensure Autonomous Database does not allow secure access from everywhere | |
| 40059 | Ensure Autonomous Database has Mutual TLS authentication as Required | |
| 40060 | Ensure DB Systems Network Security Groups are configured to restrict access to and from the database | |
| 40061 | Ensure DB Systems Database is encrypted using customer-managed key | |
| 40062 | Ensure Big Data Service cluster is encrypted using customer-managed key | |
| 40063 | Ensure Data Flow application is configured to capture application logs |