Oracle Cloud Infrastructure Documentation

Securing Monitoring

This topic provides security information and recommendations for the Oracle Cloud Infrastructure Monitoring service.

Security Responsibilities

To use Monitoring securely, learn about your security and compliance responsibilities.

In general, Oracle provides security of cloud infrastructure and operations, such as cloud operator access controls and infrastructure security patching. You are responsible for securely configuring your cloud resources. Security in the cloud is a shared responsibility between you and Oracle.

Oracle is responsible for the following security requirements:

  • Physical Security: Oracle is responsible for protecting the global infrastructure that runs all services offered in Oracle Cloud Infrastructure. This infrastructure consists of the hardware, software, networking, and facilities that run Oracle Cloud Infrastructure services.

Your security responsibilities are described on this page, which include the following areas:

  • Access Control: Limit privileges as much as possible. Users should be given only the access necessary to perform their work.

Initial Security Tasks

Use this checklist to identify the tasks you perform to secure Monitoring in a new Oracle Cloud Infrastructure tenancy.

Task More Information
Use IAM policies to grant access to users and resources IAM Policies

Routine Security Tasks

After getting started with Monitoring, use this checklist to identify security tasks that we recommend you perform regularly.

Monitoring does not have any security tasks that you need to perform regularly.

IAM Policies

Use policies to limit access to Monitoring.

A policy specifies who can access Oracle Cloud Infrastructure resources and how. For more information, see How Policies Work.

Assign a group the least privileges that are required to perform their responsibilities. Each policy has a verb that describes what actions the group is allowed to do. From the least amount of access to the most, the available verbs are: inspect, read, use, and manage.

For more information about Monitoring policies, see Details for Health Checks.

Alarm Access for Groups

List Alarms and Alarm Status

Create this policy to allow a group to list alarms and list alarm statuses.

Allow group <group_name> to inspect alarms in tenancy

Get Alarm Details and History

Create this policy to allow a group to get alarm detailsand get alarm history. The read metrics line is required for getting alarm history.

Allow group <group_name> to read alarms in tenancy
Allow group <group_name> to read metrics in tenancy

Manage Alarms

Create this policy to allow a group to manage alarms, using streams and existing topics for notifications. This policy doesn't allow creation of new topics.

Note

To limit the group to the permissions required for selecting streams, replace use streams with {STREAM_READ, STREAM_PRODUCE}.
Allow group <group_name> to manage alarms in tenancy
Allow group <group_name> to read metrics in tenancy
Allow group <group_name> to use ons-topics in tenancy
Allow group <group_name> to use streams in tenancy

Manage Alarms and Create Topics

Create this policy to allow a group to manage alarms, including creating topics (and subscriptions) for notifications (and using streams for notifications).

Note

To limit the group to the permissions required for selecting streams, replace use streams with {STREAM_READ, STREAM_PRODUCE}.
Allow group <group_name> to manage alarms in tenancy
Allow group <group_name> to read metrics in tenancy
Allow group <group_name> to manage ons-topics in tenancy
Allow group <group_name> to use streams in tenancy

Metric Access for Groups

List Metric Definitions

Create this policy to allow a group to list metric definitions in a compartment.

Allow group <group_name> to inspect metrics in compartment <compartment_name>

Query Metrics

Create this policy to allow a group to query metrics in a compartment.

Allow group <group_name> to read metrics in compartment <compartment_name>

Query Metrics for a Metric Namespace

Create this policy to allow a group to query metrics in a compartment, restricted to a metric namespace.

Allow group <group_name> to read metrics in compartment <compartment_name>
  where target.metrics.namespace='<metric_namespace>'

Publish Custom Metrics

Create this policy to allow a group to publish custom metrics to a metric namespace, as well as view metric data, create alarms and topics, and use streams with alarms.

Note

To limit the group to the permissions required for selecting streams, replace use streams with {STREAM_READ, STREAM_PRODUCE}.
Allow group <group_name> to use metrics in tenancy 
  where target.metrics.namespace=<metric_namespace>'
Allow group <group_name> to read metrics in tenancy
Allow group <group_name> to manage alarms in tenancy
Allow group <group_name> to manage ons-topics in tenancy
Allow group <group_name> to use streams in tenancy

Metric Access for Resources

If you want compute instances or other resources to monitor metrics through API calls, then do the following.

For more information about compute instances calling APIs, see Calling Services from an Instance.

  1. Add the resources to a dynamic group using its matching rules.

  2. Create a policy that allows that dynamic group to access metrics.

    Allow dynamic-group <dynamic_group_name> to read metrics in tenancy

Cross-Tenancy Metric Access

Use cross-tenancy metric access to share metrics with another organization that has its own tenancy. For example, share metrics with another business unit in your company, a customer of your company, or a company that provides services to your company.

To access and share resources, the administrators of both tenancies need to create special policy statements that explicitly state the resources that can be accessed and shared. These special statements use the words Define, Endorse, and Admit. For more information about these statements, see Cross-Tenancy Access Policies.

Source Tenancy Policy Statements

The source and target tenancy administrators create policy statements that endorse a source IAM group allowed to manage resources in the destination tenancy.

Example: Endorse MetricsAdminsUserGroup to do anything with any metric resource in any tenancy:

Endorse group MetricsAdminsUserGroup to manage metrics in any-tenancy

To write a policy that reduces the scope of tenancy access, the source administrator must reference the destination tenancy OCID provided by the destination administrator.

Example: Endorse MetricsAdminsUserGroup to read metric resources in the destination tenancy (DestinationTenancy) only:

Define tenancy DestinationTenancy as ocid1.tenancy.oc1..<unique_ID>
Endorse group MetricsAdminsUserGroupInSource to read metrics in tenancy DestinationTenancy

To allow a group to publish metrics to the destination tenancy, use the manage verb:

Example: Endorse MetricsAdminsUserGroup to manage metric resources in the destination tenancy (DestinationTenancy) only:

Define tenancy DestinationTenancy as ocid1.tenancy.oc1..<unique_ID>
Endorse group MetricsAdminsUserGroupInSource to manage metrics in tenancy DestinationTenancy

Example: Endorse a dynamic group (MetricsAdminsDynamicGroup) to read metric resources in the destination tenancy:

Define tenancy DestinationTenancy as ocid1.tenancy.oc1..<unique_ID>
Endorse dynamic-group MetricsAdminsDynamicGroup to read metrics in tenancy DestinationTenancy

Destination Tenancy Policy Statements

Example: Endorse MetricsAdminsUserGroup in the source tenancy (MetricsAdminsUserGroupInSource) to do anything with any metric resource in your tenancy:

Define tenancy SourceTenancy as ocid1.tenancy.oc1..<unique_ID>
Define group MetricsAdminsUserGroupInSource as ocid1.group.oc1..<unique_ID>
Admit group MetricsAdminsUserGroupInSource of tenancy SourceTenancy to manage metrics in tenancy

Example: Endorse MetricsAdminsUserGroup in the source tenancy (MetricsAdminsUserGroupInSource) to read metrics resources in the SharedMetrics compartment only:

Define tenancy SourceTenancy as ocid1.tenancy.oc1..<unique_ID>
Define group MetricsAdminsUserGroupInSource as ocid1.group.oc1..<unique_ID>
Admit group MetricsAdminsUserGroupInSource of tenancy SourceTenancy to read metrics in compartment SharedMetrics

Example: Endorse a dynamic group (MetricsAdminsDynamicGroup) in the source tenancy (MetricsAdminsDynamicGroupInSource) to read metric resources in the SharedMetrics compartment only:

Define tenancy SourceTenancy as ocid1.tenancy.oc1..<unique_ID>
Define dynamic-group MetricsAdminsDynamicGroupInSource as ocid1.dynamicgroup.oc1..<unique_ID>
Admit dynamic-group MetricsAdminsDynamicGroupInSource of tenancy SourceTenancy to read metrics in compartment SharedMetrics