Securing Compute

This topic provides security information and recommendations for Compute.

The Compute service lets you provision and manage compute hosts, known as instances . You can create instances as needed to meet your compute and application requirements. After you create an instance, you can access it securely from your computer, restart it, attach and detach volumes, and terminate it when you're done with it. Any changes made to the instance's local drives are lost when you terminate it. Any saved changes to volumes attached to the instance are retained.

Security Responsibilities

To use Compute securely, learn about your security and compliance responsibilities.

In general, Oracle provides security of cloud infrastructure and operations, such as cloud operator access controls and infrastructure security patching. You are responsible for securely configuring your cloud resources. Security in the cloud is a shared responsibility between you and Oracle.

Oracle is responsible for the following security requirements:

  • Physical Security: Oracle is responsible for protecting the global infrastructure that runs all services offered in Oracle Cloud Infrastructure. This infrastructure consists of the hardware, software, networking, and facilities that run Oracle Cloud Infrastructure services.

Your security responsibilities are described on this page, which include the following areas:

  • Access Control: Limit privileges as much as possible. Users should be given only the access necessary to perform their work.
  • Encryption and Confidentiality: Use encryption keys and secrets to protect your data and connect to secured resources. Rotate these keys regularly.
  • Patching: Keep software up to date with the latest security patches to prevent vulnerabilities.

Initial Security Tasks

Use this checklist to identify the tasks you perform to secure Compute in a new Oracle Cloud Infrastructure tenancy.

Task More Information
Use IAM policies to grant access to users and resources IAM Policies
Encrypt resources using a custom key Data Encryption
Secure network access to resources Network Security
Enable and configure Cloud Guard (optional) Cloud Guard
Create a security zone (optional) Security Zones

Routine Security Tasks

After getting started with Compute use this checklist to identify security tasks that we recommend you perform regularly.

Task More Information
Rotate encryption keys Data Encryption
Respond to problems detected in Cloud Guard Cloud Guard
Apply the latest security patches Patching
Perform a security audit Auditing

IAM Policies

Use policies to limit access to Compute.

A policy specifies who can access Oracle Cloud Infrastructure resources and how. For more information, see How Policies Work.

Assign a group the least privileges that are required to perform their responsibilities. Each policy has a verb that describes what actions the group is allowed to do. From the least amount of access to the most, the available verbs are: inspect, read, use, and manage.

We recommend that you give DELETE permissions to a minimum set of IAM users and groups. This practice minimizes loss of data from inadvertent deletes by authorized users or from malicious actors. Only give DELETE permissions to tenancy and compartment administrators.

In all the following examples, the policies are scoped to a tenancy. However, by specifying a compartment name, they can be scoped down to specific compartment in a tenancy.

Restrict Users Ability to Delete Instances

The following example allows the InstanceUsers group to launch instances, but not to delete them.

Allow group InstanceUsers to manage instance-family in tenancy
 where request.permission!='INSTANCE_DELETE' 
Allow group InstanceUsers to use volume-family in tenancy 
Allow group InstanceUsers to use virtual-network-family in tenancy
Restrict Ability to Use Console Connections

For security compliance reasons, some customers do not want to expose the instance console to users in their tenancy. The following policy example restricts ability to create or read from consoles.

Allow group InstanceUsers to manage instance-console-connection in tenancy
 where all {request.permission!= INSTANCE_CONSOLE_CONNECTION_READ, 
            request.permission!= INSTANCE_CONSOLE_CONNECTION_CREATE}

For more information about Compute policies and to view more examples, see Details for the Core Services.

Access Control

In addition to creating IAM policies, lock down access to compute instances.

Instance Access to Other Services

You can use the Oracle Cloud Infrastructure instance principals feature to authorize instances to access other services on behalf of an IAM user.

For example, an instance might access Block Volume, Networking, Load Balancer, or Object Storage.

To use this feature, create dynamic groups and grant them access to service APIs. Dynamic groups allow you to group Oracle Cloud Infrastructure compute instances as "principal" actors (similar to user groups). You can then create policies to permit instances to make API calls against Oracle Cloud Infrastructure services.

When you create a dynamic group, rather than adding members explicitly to the group, you instead define a set of matching rules to define the group members. A short-lived private key to sign API calls is delivered through the instance metadata service (http://169.254.169.254/opc/<version>/identity/cert.pem), and the key is rotated multiple times a day. For more information about accessing services from instances, see Calling Services from an Instance.

Access to Instance Metadata

We recommend that you limit instance metadata access to privileged users on the instance.

Instance metadata (http://169.254.169.254) provides predefined instance information, such as OCID and display name, and custom fields. The instance metadata can also provide short-lived credentials, such as dynamic group credentials. The following example shows how to use iptables to restrict instance metadata access to the root user.

iptables -A OUTPUT -m owner ! --uid-owner root -d 169.254.169.254 -j DROP

Instances use link local addresses to access the instance metadata service (169.254.169.254:80), DNS (169.254.169.254:53), NTP (169.254.169.254:123), kernel updates (169.254.0.3), and iSCSI connections to boot volumes (169.254.0.2:3260, 169.254.2.0/24:3260). You can use host-based firewalls, such as iptables, to ensure that only the root user is authorized to access these IPs. Ensure that these operating system firewall rules are not altered.

The instance metadata service is available in two versions, version 1 and version 2. IMDSv2 offers increased security compared to v1. We recommend you disable IMDSv1 and allow requests only to IMDSv2. See Upgrading to the Instance Metadata Service v2.

Cloud Guard

Enable Cloud Guard and use it to detect and respond to security issues in Compute resources.

Upon detecting a problem, Cloud Guard suggests corrective actions. You can also configure Cloud Guard to automatically take certain actions. Cloud Guard includes the following detector rules for Compute.

  • Instance has a public IP address
  • Instance is running an Oracle image
  • Instance is not running an Oracle image
  • Instance is publicly accessible
  • Instance terminated
  • Export image
  • Import image
  • Update image

For a list of all available detector rules in Cloud Guard, see Detector Recipe Reference.

If you haven't done so already, enable Cloud Guard and configure it to monitor the compartments that contain your resources. You can configure Cloud Guard targets to examine your entire tenancy (root compartment and all subcompartments), or to check only specific compartments. See Getting Started with Cloud Guard.

After enabling Cloud Guard, you can view and resolve detected security problems. See Processing Reported Problems.

Security Zones

Using Security Zones ensures your resources in Compute comply with security best practices.

A security zone is associated with one or more compartments and a security zone recipe. When you create and update resources in a security zone's compartment, Oracle Cloud Infrastructure validates these operations against the list of security zone policies in the recipe. If any policy in the recipe is violated, then the operation is denied. The following security zone policies are available for resources in Compute.

  • deny instance_in_security_zone_​launch_from_boot_volume_​not_in_security_zone
  • deny instance_in_security_zone_​in_subnet_not_in_security_​zone
  • deny instance_without_​sanctioned_image
  • deny boot_volume_not_in_security_​zone_attach_to_instance_​in_security_zone
  • deny boot_volume_without_​vault_key

For a list of all security zone policies, see Security Zone Policies.

To move existing resources to a compartment that is in a security zone, the resources must comply with all security zone policies in the zone's recipe. Similarly, resources in a security zone can't be moved to a compartment outside of the security zone because it might be less secure. See Managing Security Zones.

Data Encryption

Create and rotate encryption keys in the Vault service to protect your resources in Compute.

A vault is a logical entity that stores the encryption keys you use to protect your data. Depending on the protection mode, keys are either stored on the server, or they are stored on highly available and durable hardware security modules (HSMs). Our HSMs meet Federal Information Processing Standards (FIPS) 140-2 Security Level 3 security certification. See Managing Vaults and Managing Keys.

Although default encryption keys can be generated automatically when you create certain Oracle Cloud Infrastructure resources, we recommend that you create and manage your own custom encryption keys in the Vault service.

Instance boot volumes are encrypted by default. When you create an instance, you can use a custom encryption key to encrypt the data at rest in the boot volume. If you enable in-transit encryption for the instance, then the custom key is used for in-transit encryption as well. See Creating an Instance.

Each master encryption key is automatically assigned a key version. When you rotate a key, the Vault service generates a new key version. Periodically rotating keys limits the amount of data encrypted or signed by one key version. If a key is ever comprised, key rotation reduces the risk to your data. See Managing Keys.

We recommend that you use IAM policies to strictly limit the creation, rotation, and deletion of encryption keys. See Details for the Vault Service.

Network Security

Secure network access to your resources in the Compute service, including Secure Shell (SSH).

Harden SSH on all instances. The following table shows some SSH security recommendations. SSH configuration options can be set in the sshd_config file. On Linux, this file is at /etc/ssh/sshd_config.

Security Recommendation Configuration sshd_config Comments
Use public-key logins only PubkeyAuthentication yes Periodically review SSH public keys in the ~/.ssh/authorized_keys file.
Disable password logins PasswordAuthentication no Mitigates brute-force password attacks.
Disable root logins PermitRootLogin no Prevents root privileges for remote logins.
Change SSH port to a non-standard port Port <port_number> Optional. Verify that this change does not break applications using port 22 for SSH.

Use secure SSH private keys to access instances and to prevent inadvertent disclosures. For more information about creating an SSH key pair and configuring an instance with the keys, see Managing Key Pairs on Linux Instances.

Use security lists , network security groups , or a combination of both to control packet-level traffic in and out of the resources in your VCN (virtual cloud network) . See Access and Security.

Fail2ban is an application that blocklists IP addresses involved in brute-force sign-in attempts (that is, too many failed attempts to sign in to an instance). By default, Fail2ban inspects SSH accesses, and you can configure it to inspect other protocols. For more information about Fail2ban, see Fail2ban Main Page.

In addition to VCN network security groups and security lists, use host-based firewalls, such as iptables and firewalld, to restrict network access to instances by controlling ports, protocols, and packet types. Use these firewalls to prevent potential network security attack reconnaissance, such as port scanning and intrusion attempts. Custom firewall rules can be configured, saved, and initialized on every instance boot. The following example shows commands for iptables.

# save iptables rules after configuration 
sudo iptables-save > /etc/iptables/iptables.rules 
# restore iptables rules on next reboot 
sudo /sbin/iptables-restore < /etc/iptables.rules 
# restart iptables after restore 
sudo service iptables restart

When you create a subnet in a VCN, by default the subnet is considered public and internet communication is permitted. Use private subnets  to host resources that do not require internet access. You can also configure a service gateway  in your VCN to allow resources on a private subnet to access other cloud services. See Connectivity Choices.

The Bastion service provides restricted and time-limited access to target resources that don't have public endpoints. Using a bastion, you can let authorized users connect to target resources on private endpoints by way of Secure Shell (SSH) sessions. When connected, users can interact with the target resource by using any software or protocol supported by SSH. See Managing Bastions.

Use Web Application Firewall (WAF) to create and manage protection rules for internet threats including Cross-Site Scripting (XSS), SQL Injection, and other OWASP-defined vulnerabilities. Unwanted bots can be mitigated while desirable bots are allowed to enter. WAF observes traffic to your web application over time and recommends new rules for you to configure. See Getting Started with Edge Policies.

Patching

Ensure that your Compute resources are running the latest security updates.

Keep instance software up to date with security patches. We recommend that you periodically apply the latest available software updates to your instances. Oracle Autonomous Linux images are automatically updated with the latest patches. For Oracle Linux images, you can run the sudo yum update command (sudo dnf update on Oracle Linux 8). On Oracle Linux, you can get information about available and installed security patches using the yum-security plugin. The following example provides commands for yum-security.

# Install yum-security plugin
yum install yum-plugin-security
# Get list of security patches without installing them
yum updateinfo list security all
# Get list of installed security patches
yum updateinfo list security all

Linux instances on Oracle Cloud Infrastructure can use Oracle Ksplice to apply critical kernel patches without rebooting. Ksplice can maintain specific kernel versions for Oracle Linux, CentOS, and Ubuntu. For more information, see Oracle Ksplice.

Use Oracle Cloud Infrastructure Vulnerability Scanning Service to help improve your security posture by routinely checking hosts for potential vulnerabilities. The service generates reports with metrics and details about these vulnerabilities, and assigns each a risk level. For example:
  • Ports that are unintentionally left open might be a potential attack vector to your cloud resources, or enable hackers to exploit other vulnerabilities.
  • OS packages that require updates and patches to address vulnerabilities
  • OS configurations that hackers might exploit
See Scanning Overview.

Hardening

Configure your Compute resources for production deployments.

Establish a baseline for security hardening of Linux and Windows images running on instances. For more information about security hardening of Oracle Linux images, see Tips for Hardening an Oracle Linux Server. The Center for Internet Security Benchmarks provides a comprehensive set of operating system security hardening benchmarks for various distributions of Linux and Windows Server.

Instance Entropy

In Linux instances, /dev/random is non-blocking and should be used for security applications requiring random numbers.

Both bare metal and VM instances provide a high-quality and high-throughput entropy source. Instances have random number generators whose output is fed into the entropy pools used by the operating system to generate random numbers.

You can use the following commands to check the throughput and quality of the random numbers generated by /dev/random before using the output in applications.

# check sources of entropy 
sudo rngd -v 
# enable rngd, if not already 
sudo systemctl start rngd 
# verify rngd status 
sudo systemctl status rngd 
# verify /dev/random throughput and quality using rngtest 
cat /dev/random | rngtest -c 1000

Auditing

Locate access logs and other security data for compute instances.

Various security-related events are captured in log files. We recommend that you periodically review these log files to detect any security issues. In Oracle Linux, the log files are in the folder /var/log. Some security-relevant log files are listed in the following table.

Log File or Directory Description
/var/log/secure Auth log showing failed and successful sign-ins.
/var/log/audit Auditd logs capturing system calls issued, sudo attempts, user sign-ins, and so on. ausearch and aureport are two tools used to query auditd logs.
/var/log/yum.log Lists packages installed or updated on instances with yum.
/var/log/cloud-init.log During instance boot, cloud-init can run user-provided scripts as a privileged user. For example, cloud-init can introduce SSH keys. We recommend that you review the cloud-init logs for any unrecognized commands.

The Audit service automatically records all API calls to Oracle Cloud Infrastructure resources. You can achieve your security and compliance goals by using the Audit service to monitor all user activity within your tenancy. Because all Console, SDK, and command line (CLI) calls go through our APIs, all activity from those sources is included. Audit records are available through an authenticated, filterable query API or they can be retrieved as batched files from Object Storage. Audit log contents include what activity occurred, the user that initiated it, the date and time of the request, as well as source IP, user agent, and HTTP headers of the request. See Viewing Audit Log Events.

Example Audit Log

An audit log for a LaunchInstance event

{
  "datetime": 1642192740551,
  "logContent": {
    "data": {
      "additionalDetails": {
        "X-Real-Port": 50258,
        "imageId": "ocid1.image.oc1.<unique_id>",
        "shape": "VM.Standard.E3.Flex",
        "type": "CustomerVmi",
        "volumeId": "null"
      },
      "availabilityDomain": "AD1",
      "compartmentId": "ocid1.tenancy.oc1..<unique_id>",
      "compartmentName": "mytenancy",
      "definedTags": {},
      "eventGroupingId": "<unique_id>",
      "eventName": "LaunchInstance",
      "freeformTags": {},
      "identity": {
        "authType": null,
        "callerId": null,
        "callerName": null,
        "consoleSessionId": null,
        "credentials": "<key>",
        "ipAddress": "<ip_address>",
        "principalId": "<user_id>",
        "principalName": "<user_name>",
        "tenantId": "ocid1.tenancy.oc1..<unique_id>",
        "userAgent": "Oracle-JavaSDK/1.33.2 (Linux/4.14.35-2047.509.2.2.el7uek.x86_64; Java/1.8.0_301; Java HotSpot(TM) 64-Bit Server VM GraalVM EE 20.3.3/25.301-b09-jvmci-20.3-b18)"
      },
      "message": "myinstance LaunchInstance succeeded",
      "request": {
        "action": "POST",
        "headers": {
          "Accept": [
            "application/json"
          ],
          "Connection": [
            "keep-alive"
          ],
          "Date": [
            "Fri, 14 Jan 2022 20:38:59 GMT"
          ]
        },
        "id": "<unique_id>",
        "parameters": {},
        "path": "/20160918/instances"
      },
      "resourceId": "ocid1.instance.oc1.phx.<unique_id>",
      "response": {
        "headers": {
          "Connection": [
            "keep-alive"
          ],
          "Content-Type": [
            "application/json"
          ],
          "Date": [
            "Fri, 14 Jan 2022 20:39:00 GMT"
          ],
          "ETag": [
            "<unique_id>"
          ],
          "Transfer-Encoding": [
            "chunked"
          ],
          "X-Content-Type-Options": [
            "nosniff"
          ],
          "opc-request-id": [
            "<unique_id>"
          ],
          "opc-work-request-id": [
            "ocid1.coreservicesworkrequest.oc1.phx.<unique_id>"
          ]
        },
        "message": null,
        "payload": {},
        "responseTime": "2022-01-14T20:39:00.551Z",
        "status": "200"
      },
      "stateChange": {
        "current": {
          "agentConfig": {
            "areAllPluginsDisabled": false,
            "isManagementDisabled": false,
            "isMonitoringDisabled": false
          },
          "availabilityConfig": {
            "recoveryAction": "RESTORE_INSTANCE"
          },
          "availabilityDomain": "EMIr:PHX-AD-1",
          "compartmentId": "ocid1.tenancy.oc1..<unique_id>",
          "definedTags": {},
          "displayName": "<unique_id>",
          "extendedMetadata": {},
          "faultDomain": "FAULT-DOMAIN-1",
          "freeformTags": {},
          "id": "ocid1.instance.oc1.phx.<unique_id>",
          "imageId": "ocid1.image.oc1.phx.<unique_id>",
          "instanceOptions": {
            "areLegacyImdsEndpointsDisabled": false
          },
          "launchMode": "PARAVIRTUALIZED",
          "launchOptions": {
            "bootVolumeType": "PARAVIRTUALIZED",
            "firmware": "UEFI_64",
            "isConsistentVolumeNamingEnabled": true,
            "isPvEncryptionInTransitEnabled": false,
            "networkType": "PARAVIRTUALIZED",
            "remoteDataVolumeType": "PARAVIRTUALIZED"
          },
          "lifecycleState": "PROVISIONING",
          "region": "phx",
          "shape": "VM.Standard.E3.Flex",
          "shapeConfig": {
            "gpus": 0,
            "localDisks": 0,
            "maxVnicAttachments": 2,
            "memoryInGBs": 16,
            "networkingBandwidthInGbps": 1,
            "ocpus": 1,
            "processorDescription": "2.25 GHz AMD EPYC™ 7742 (Rome)"
          },
          "sourceDetails": {
            "imageId": "ocid1.image.oc1.phx.<unique_id>",
            "sourceType": "image"
          },
          "systemTags": {},
          "timeCreated": "2022-01-14T20:39:00.260Z"
        },
        "previous": {}
      }
    },
    "dataschema": "2.0",
    "id": "<unique_id> ",
    "oracle": {
      "compartmentid": "ocid1.tenancy.oc1..<unique_id>",
      "ingestedtime": "2022-01-14T20:39:05.212Z",
      "loggroupid": "_Audit",
      "tenantid": "ocid1.tenancy.oc1..<unique_id>"
    },
    "source": "<unique_id>",
    "specversion": "1.0",
    "time": "2022-01-14T20:39:00.551Z",
    "type": "com.oraclecloud.computeApi.LaunchInstance.begin"
  }
}

If you enabled Cloud Guard in your tenancy, then it reports any user activities that are potential security concerns. Upon detecting a problem, Cloud Guard suggests corrective actions. You can also configure Cloud Guard to automatically take certain actions. See Getting Started with Cloud Guard and Processing Reported Problems.