Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Check for Non-Root Compartments

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure there is at least one non-root compartment in your Oracle Cloud Infrastructure (OCI) tenancy to manage cloud resources. Having at least one non-root compartment is essential for better organization, access control, and security. It allows you to logically group resources, apply granular policies, and isolate projects or environments to prevent accidental changes or misuse of resources in the root compartment.

Security
Operational
excellence

In Oracle Cloud Infrastructure (OCI), compartments enable you to organize and manage access to your cloud resources. A compartment is a logical grouping of related resources, including VM instances, databases, Virtual Cloud Networks (VCNs), storage buckets, and block volumes. Access to these resources is restricted to authorized groups, as defined by an administrator. When you sign up for an Oracle Cloud Infrastructure (OCI) account, a root compartment is created by default. The root compartment serves as the top-level compartment for your tenancy and it is used to organize and manage all the resources within your OCI environment. To follow best practices and enhance the organization of your cloud resources, it is highly recommended to create further compartments within the OCI root compartment.

Audit

To determine if there is at least one non-root compartment in your OCI tenancy to manage cloud resources, perform the following operations:

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Tenancy details page available at https://cloud.oracle.com/tenancy.

03 Select the Tenancy information tab and copy the ID of the tenancy (i.e., OCI root compartment) listed next to OCID.

04 Navigate to Resource Explorer console available at https://cloud.oracle.com/search/.

05 Paste the following search query in the Advanced resource query textbox and select Search. Replace \<root-compartment-id\> with the OCID of the tenancy copied in step no. 3. If the specified query finds no results, then there are no active non-root compartments created for resource management in your OCI tenancy: 

query
	compartment resources
		where (compartmentId = '<root-compartment-id>' && lifecycleState = 'ACTIVE')

Using OCI CLI

01 Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of your Oracle Cloud Infrastructure (OCI) tenancy (i.e., root compartment): 

oci iam compartment list
	--all
	--query 'data[]."compartment-id"'

02 The command output should return the tenancy OCID: 

[
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

03 Run search resource structured-search command (Windows/macOS/Linux) to list all the active non-root compartments created for your Oracle Cloud Infrastructure (OCI) tenancy: 

oci search resource structured-search
	--query-text "query compartment resources where (compartmentId = 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd' && lifecycleState = 'ACTIVE')"
	--query 'data.items[]."display-name"'

04 The command output should return the name of each non-root compartment available within your OCI tenancy: 

[]

If the search resource structured-search command returns an empty array (i.e. []), as shown in the output example above, there are no active non-root compartments created for resource management in your OCI tenancy.

Remediation / Resolution

To create at least one non-root compartment in your OCI tenancy to manage cloud resources, perform the following operations:

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Identity console available at https://cloud.oracle.com/identity/.

03 In the left navigation panel, select Compartments, choose Create Compartment, and perform the following actions to create a new non-root compartment:

  1. For Name, enter a unique name for the new compartment.
  2. For Description, provide a short description for the compartment.
  3. For Parent Compartment, select the name of your root compartment.
  4. (Optional) For Tag namespace, use the Tag key and Tag value fields to add tags to organize your resource.
  5. Choose Create Compartment to deploy your new non-root compartment.

04 If required, repeat step no. 3 to create more non-root compartments in your Oracle Cloud Infrastructure (OCI) tenancy.

05 (Optional) Follow the steps outlined here if you need to move your cloud resources from the root compartment to the new non-root compartment(s).

Using OCI CLI

01 Run iam compartment create command (Windows/macOS/Linux) to create a new non-root compartment in your Oracle Cloud Infrastructure (OCI) tenancy. For --compartment-id, specify the OCID of the parent compartment (i.e., root compartment) in your OCI tenancy: 

oci iam compartment create
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--name 'cc-project5-compartment'
	--description 'Compartment used for managing Project5 cloud resources'

02 The command output should return the information available for your new non-root compartment: 

{
	"data": {
		"compartment-id": "ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"description": "Compartment used for managing Project5 cloud resources",
		"freeform-tags": {},
		"id": "ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"inactive-status": null,
		"is-accessible": true,
		"lifecycle-state": "ACTIVE",
		"name": "cc-project5-compartment",
		"time-created": "2025-03-20T06:40:13.885000+00:00"
	},
	"etag": "abcd1234abcd1234abcd1234abcd1234abcd1234"
}

03 If required, repeat steps no. 1 and 2 to create more non-root compartments in your Oracle Cloud Infrastructure (OCI) tenancy.

04 (Optional) Follow the steps outlined here if you need to move your cloud resources from the root compartment to the new non-root compartment(s).

References

Publication date Mar 21, 2025

Related IAM rules