Best practice rules for Oracle Cloud Infrastructure

Use Customer-Managed Keys (CMKs) to encrypt your OCI Autonomous AI Databases.

Ensure that your OCI Autonomous AI Databases are using the latest version of Oracle AI Database.

Define customer contacts to receive operational notifications and announcements for your OCI Autonomous AI Databases.

Ensure that public network access to OCI Autonomous AI Databases is disabled.

Enable storage auto-scaling for your Oracle Cloud Infrastructure (OCI) Autonomous AI Databases.

Enable compute auto-scaling for your Oracle Cloud Infrastructure (OCI) Autonomous AI Databases.

Enable the Data Safe feature for your OCI Autonomous AI Databases.

Ensure that Database Management is enabled for your OCI Autonomous AI Databases.

Enable cross-region disaster recovery for your Oracle Cloud Infrastructure (OCI) Autonomous AI Databases.

Enable immutable backup retention for Oracle Cloud Infrastructure (OCI) Autonomous AI Databases.

Enable Zero Trust Packet Routing (ZPR) for your Oracle Cloud Infrastructure (OCI) Autonomous AI Databases.

Secure connections to OCI Autonomous AI Databases using mutual TLS (mTLS).

Ensure that network access to OCI Autonomous AI Databases is allowed via private endpoints only.

Use Customer-Managed Keys (CMKs) to encrypt your OCI Block Volume data.

Use Customer-Managed Keys (CMKs) to encrypt your OCI Boot Volume data.

Ensure that OCI Block Volume VPUs are configured appropriately for workload requirements.

Enable ongoing automatic asynchronous replication of Block Volumes across OCI regions.

Ensure that performance-based autotuning is enabled for OCI Block Volumes.

Ensure that performance-based autotuning is enabled for OCI Boot Volumes.

Use backup policies to schedule backups for Block Volumes in Oracle Cloud Infrastructure (OCI).

Ensure that Cloud Guard is enabled for your OCI compartments.

Ensure that your OCI compute instances are of a given, approved shape (e.g., VM.Standard.E5.Flex).

Avoid using public IP addresses for OCI compute instances unless it's necessary for business operations.

Ensure that Cloud Guard Workload Protection feature is enabled for OCI compute instances.

Ensure that compute instance monitoring is enabled for your OCI compute instances.

Ensure that the Confidential Computing feature is enabled for OCI compute instances.

Ensure that custom logs monitoring is enabled for your OCI compute instances.

Ensure that encryption of data in transit is enabled for OCI compute instances.

Ensure that OS Management Service is enabled for OCI compute instances.

Ensure that Secure Boot is enabled for shielded Oracle Cloud Infrastructure (OCI) compute instances.

Ensure that the Vulnerability Scanning feature is enabled for OCI compute instances.

Ensure that IMDSv2 is enforced for all Oracle Cloud Infrastructure (OCI) compute instances.

Ensure that your OCI compute instances are using Network Security Groups (NSGs) for traffic control.

Ensure that IAM group changes are being monitored using Oracle Cloud Infrastructure (OCI) Events.

Ensure that IAM policy configuration changes are being monitored using Oracle Cloud Infrastructure (OCI) Events.

Ensure that IAM user changes are being monitored using Oracle Cloud Infrastructure (OCI) Events.

Ensure that Identity Provider changes are being monitored using Oracle Cloud Infrastructure (OCI) Events.

Ensure that Identity Provider changes are being monitored using Oracle Cloud Infrastructure (OCI) Events.

Ensure that OCI local user authentication is being monitored using Oracle Cloud Infrastructure (OCI) Events.

Ensure that network gateway configuration changes are being monitored using Oracle Cloud Infrastructure (OCI) Events.

Ensure that network security group configuration changes are being monitored using Oracle Cloud Infrastructure (OCI) Events.

Ensure that changes to Cloud Guard issues are being monitored using Oracle Cloud Infrastructure (OCI) Events.

Ensure that route table configuration changes are being monitored using Oracle Cloud Infrastructure (OCI) Events.

Ensure that security list configuration changes are being monitored using Oracle Cloud Infrastructure (OCI) Events.

Ensure that VCN changes are being monitored using Oracle Cloud Infrastructure (OCI) Events.

Ensure that OCI Lustre file systems have cost allocation tags for accurate cost allocation and budget tracking.

Ensure that OCI File Storage file systems should be placed in same availability domain as compute resources.

Ensure that OCI file system clones are fully hydrated for production use.

Ensure that OCI File Storage systems have cost allocation tags for accurate cost allocation and budget tracking.

Ensure that clone parent file systems without attached child clones are removed.

Ensure that snapshot policies are configured for your OCI File Storage file systems.

Ensure that active replication is enabled for your OCI File Storage systems.

Ensure that OCI File Storage quota enforcement is enabled for cost control.

Use Customer-Managed Keys (CMKs) to encrypt your OCI File Storage systems.

Use Customer-Managed Keys (CMKs) to encrypt your OCI Lustre file systems.

Ensure that your Lustre file systems are using Network Security Groups (NSGs) for traffic control.

Ensure that resource locking is enabled for your production OCI File Storage systems.

Ensure that Oracle Cloud Infrastructure (OCI) Functions applications are attached to Network Security Groups (NSGs) to implement granular ingress and egress network access controls.

Ensure that IAM policies controlling access to OCI Functions follow the principle of least privilege by granting only the minimum permissions necessary.

Ensure that Oracle Cloud Infrastructure (OCI) Functions applications are deployed in private subnets to minimize exposure to the public internet.

Ensure that IAM policies implement resource-level access controls for OCI Functions using specific application or function OCIDs in policy conditions.

Ensure that IAM policies separate function management permissions from function invocation permissions to enforce the principle of separation of duties.

Ensure that Virtual Cloud Networks (VCNs) containing OCI Functions applications have a service gateway configured to enable private communication with Oracle Services Network.

Ensure that function invocation and management requests are restricted to specific IP addresses or network sources to prevent unauthorized access from untrusted networks.

Ensure that API keys are not created for tenancy administrator users.

Ensure that permissions on all OCI resources are given only to the "Administrators" group.

Ensure there are no cloud resources within the OCI root compartment.

Ensure there is at least one non-root compartment in your OCI tenancy to store cloud resources.

Ensure that service-level administrators are enforced to manage resources of particular OCI service.

Ensure that all Oracle Cloud Infrastructure (OCI) IAM user accounts have a valid and current email address.

Ensure that account lock threshold is configured in your OCI IAM password policy.

Set the diagnostics type to capture operational logs within your OCI Identity Domain.

Ensure that the Multi-Factor Authentication (MFA) feature is enabled for all users with a console password.

Ensure that IAM password policy requires minimum 14 characters for passwords.

Ensure that IAM password policy enforces password expiration within 365 days or less.

Ensure that storage service-level administrators can't delete the resources they manage.

Ensure that OCI IAM password policy prevents password reuse.

Ensure that service administrators cannot update the tenancy "Administrators" group.

Ensure that customer secret keys are rotated on a periodic basis to follow security best practices.

Ensure that IAM database passwords are rotated on a periodic basis to follow security best practices.

Ensure that IAM user API keys are rotated on a periodic basis to follow security best practices.

Ensure that IAM user auth tokens are rotated on a periodic basis to follow security best practices.

Ensure that IAM user SMTP credentials are rotated on a periodic basis to follow security best practices.

Ensure there is a maximum of one active API key pair available for any single OCI IAM user.

Ensure that unused OCI IAM local users are disabled to follow cloud security best practices.

Ensure that your Oracle Cloud Infrastructure (OCI) resources are using default tags.

Enable and configure network perimeters for Oracle Cloud Infrastructure (OCI) identity domains.

Ensure that OCI KMS Vaults have cost allocation tags for accurate cost allocation and budget tracking.

Ensure that OCI KMS Vaults have environment tags for proper resource management and access control.

Ensure that OCI KMS Vaults use SOFTWARE-protected keys for cost optimization when HSM security is not required.

Ensure that your OCI KMS Customer-Managed Keys (CMKs) are regularly rotated.

Identify excessive unused Customer-Managed Keys (CMKs) and delete them to help lower the cost of your monthly OCI bill.

Ensure that your OCI KMS Vaults reside on an isolated partition within a Hardware Security Module (HSM).

Ensure that no network security groups allow unrestricted ingress access on TCP port 3389 (RDP).

Ensure that no security listS allow unrestricted ingress access on TCP port 3389 (RDP).

Ensure that no network security groups allow unrestricted ingress access on TCP port 22 (SSH).

Ensure that no security lists allow unrestricted ingress access on TCP port 22 (SSH).

Ensure that flow logs are enabled for Virtual Cloud Networks (VCN) subnets.

Ensure that the default security lists restrict all traffic except ICMP.

Ensure that public network access to Oracle Analytics Cloud (OAC) instances is disabled.

Ensure that network access to your Oracle Integration Cloud (OIC) instances is restricted.

Ensure that wildcard use is avoided in Roles and ClusterRoles.

Ensure the CNI plugin utilized by the OKE cluster supports network policies.

Ensure that the Kubelet configuration file ownership is set to "root:root".

Ensure that the kubelet configuration file has permissions set to 644.

Ensure that the "streamingConnectionIdleTimeout" parameter is not set to 0 (zero).

Ensure that the kubelet-config.json file ownership is set to "root:root".

Ensure that the kubelet-config.json file has permissions set to 644.

Ensure that anonymous requests to the Kubelet server are disabled.

Ensure that the Kubelet read-only port is disabled.

Ensure that public access to the Kubernetes API is disabled (allow access via private endpoints only).

Ensure that Kubelet authentication using SSL/TLS certificates is enabled.

Ensure that Kubernetes is configured to capture security-relevant events without restriction.

Ensure that the Kubelet server authorization mode is not set to "AlwaysAllow".

Ensure that Kubelet servers are configured to serve only HTTPS traffic.

Ensure that Kubelet client certificates are automatically rotated by setting the "rotateCertificates" parameter to true.

Ensure that Kubelet server certificates are automatically rotated.

Ensure that Kubelet is allowed to manage iptables.

OKE clusters should be configured with network policy support to enforce proper segmentation and secure communications.

Avoid using default service accounts for your OCI Kubernetes Engine (OKE) clusters.

Ensure that containers are not permitted to run with the "hostIPC" flag set to true.

Ensure that containers are not permitted to run with the "hostNetwork" flag set to true.

Ensure that containers are not permitted to run with the "hostPID" flag set to true.

Ensure that containers are not permitted to run with the "securityContext.privileged" flag set to true.

Ensure that containers are not permitted to run with the "allowPrivilegeEscalation" flag set to true.

Ensure that the use of the "cluster-admin" role is restricted across your OKE clusters.

Ensure that access to secrets is restricted across your OKE clusters.

Ensure the access to the Kubernetes control plane endpoint is restricted.

Ensure the service account tokens are only mounted where strictly necessary.

Ensure that only authorized personnel can create pods.

Ensure that dedicated service accounts are used for OCI Kubernetes Engine (OKE) clusters.

Use network policies to control traffic within your OKE cluster network.

Ensure the default Kubernetes namespace is not used.

Enable private nodes for OCI Kubernetes Engine (OKE) clusters.

Ensure that secrets are mounted as files, not environment variables.

Ensure that notification topics and subscriptions are configured to send monitoring alerts.

Ensure that OCI Object Storage buckets have cost allocation tags for accurate cost allocation and budget tracking.

Ensure that Object Storage buckets are not configured to allow public access.

Ensure that Auto-Tiering is enabled for Oracle Cloud Infrastructure (OCI) Object Storage buckets.

Ensure that replication is enabled for Oracle Cloud Infrastructure (OCI) Object Storage buckets.

Ensure that read logs are enabled for OCI Object Storage buckets.

Ensure that object versioning is enabled for OCI Object Storage buckets.

Ensure that write logs are enabled for OCI Object Storage buckets.

Use Customer-Managed Keys (CMKs) to encrypt your OCI Object Storage bucket data.