Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Check for Cloud Resources in the Root Compartment

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)

To enhance organizational structure and implement granular access control, ensure that Oracle Cloud Infrastructure (OCI) resources are not provisioned within the root compartment. All OCI resources should instead be deployed within designated, non-root compartments.

Operational
excellence

The deployment of Oracle Cloud Infrastructure (OCI) resources in the root compartment compromises logical organization and isolation. This obstructs granular access control, complicates cost tracking, and limits the ability to apply specific policies to distinct resource groups within OCI.

Audit

To determine if there are any cloud resources provisioned within the OCI root compartment, perform the following operations:

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Tenancy details page available at https://cloud.oracle.com/tenancy.

03 Select the Tenancy information tab and copy the ID of the tenancy (i.e., OCI root compartment) listed next to OCID.

04 Navigate to Resource Explorer console available at https://cloud.oracle.com/search/.

05 Paste the following search query in the Advanced resource query textbox and select Search. Replace \<root-compartment-id\> with the OCID of the tenancy copied in step no. 3. If the specified query returns one or more results, there are cloud resources provisioned within your Oracle Cloud Infrastructure (OCI) root compartment: 

query
	all resources
		where compartmentId = '<root-compartment-id>'

Using OCI CLI

01 Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of the Oracle Cloud Infrastructure (OCI) root compartment: 

oci iam compartment list
	--all
	--query 'data[]."compartment-id"'

02 The command output should return the root compartment OCID: 

[
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

03 Run search resource structured-search command (Windows/macOS/Linux) to list the cloud resources provisioned within the Oracle Cloud Infrastructure (OCI) root compartment: 

oci search resource structured-search
	--query-text "query all resources where compartmentId = 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'"
	--output table
	--query 'data.items[].["display-name","identifier"]'

04 The command output should return a table with the cloud resources available in the OCI root compartment. Column1 lists the resource name and Column2 the resource OCID: 

+-------------------------------------------+------------------------------------------------------------------------------------------------+
| Column1                                   | Column2                                                                                        |
+-------------------------------------------+------------------------------------------------------------------------------------------------+
| cc-event-notifications-topic              | ocid1.onstopic.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd    |
| cc-project5-vcn                           | ocid1.vcn.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd         |
| cc-project5-vcn-subnet-001                | ocid1.subnet.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd      |
| Default DHCP Options for cc-project5-vcn  | ocid1.dhcpoptions.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd |
| Default Route Table for cc-project5-vcn   | ocid1.routetable.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd  |
| Default Security List for cc-project5-vcn | ocid1.securitylist.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234    |
| cc-project5-data-bucket                   | ocid1.bucket.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd      |
+-------------------------------------------+------------------------------------------------------------------------------------------------+

If the search resource structured-search command returns one or more resources, as shown in the output example above, there are cloud resources provisioned within your Oracle Cloud Infrastructure (OCI) root compartment.

Remediation / Resolution

To ensure that your Oracle Cloud Infrastructure (OCI) resources are not provisioned within the root compartment, perform the following operations:

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Tenancy details page available at https://cloud.oracle.com/tenancy.

03 Select the Tenancy information tab and copy the ID of the tenancy (i.e., OCI root compartment) listed next to OCID.

04 Navigate to Resource Explorer console available at https://cloud.oracle.com/search/.

05 Paste the following search query in the Advanced resource query textbox and select Search to return the cloud resources provisioned within your OCI root compartment. Replace \<root-compartment-id\> with the OCID of the tenancy copied in step no. 3: 

query
	all resources
		where compartmentId = '<root-compartment-id>'

06 Select the cloud resource(s) that you want to migrate to your non-root compartment, choose Actions, and select Move resources.

07 Select the name of the destination non-root compartment from the Destination compartment dropdown list, choose Next, and select Move resources to migrate the selected resource(s) to the specified non-root compartment. Choose Continue for confirmation. Once the migration process is completed, choose Close to return to the Resource Explorer console.

Using OCI CLI

01 Use the oci \<service-command\> \<resource-command\> change-compartment command to migrate a cloud resource to a different compartment within the same OCI tenancy. For example, run ons topic change-compartment command (Windows/macOS/Linux) to move an OCI topic to a different compartment (non-root compartment), specified by the --compartment-id parameter: 

oci ons topic change-compartment
	--topic-id 'ocid1.onstopic.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--compartment-id 'ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd'

02 The command output should return the ETAG of the command request: 

{
	"etag": "abcd1234"
}

03 To move a bucket to a different compartment (non-root compartment) within the same OCI tenancy, run the os bucket update command (Windows/macOS/Linux). For --compartment-id, specify the OCID of the non-root compartment to move the bucket to: 

oci os bucket update
	--bucket-name 'cc-project5-data-bucket'
	--compartment-id 'ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd'

04 The command output should return the resource information available for the modified bucket: 

{
	"data": {
		"approximate-count": null,
		"approximate-size": null,
		"auto-tiering": "Disabled",
		"compartment-id": "ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"created-by": "ocid1.user.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"id": "ocid1.bucket.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"is-read-only": false,
		"kms-key-id": null,
		"metadata": {},
		"name": "cc-project5-data-bucket",
		"namespace": "abcabcabcabc",
		"object-events-enabled": false,
		"object-lifecycle-policy-etag": null,
		"public-access-type": "NoPublicAccess",
		"replication-enabled": false,
		"storage-tier": "Standard",
		"time-created": "2025-03-05T12:03:42.173000+00:00"
	}
}

05 Repeat steps no. 1 - 4 for each cloud resource that you want to migrate, available within your OCI root compartment.

References

Publication date Mar 21, 2025

Related IAM rules