Securing Monitoring
This topic provides security information and recommendations for the Oracle Cloud Infrastructure Monitoring service.
Security Responsibilities
To use Monitoring securely, learn about your security and compliance responsibilities.
Oracle is responsible for the following security requirements:
- Physical Security: Oracle is responsible for protecting the global infrastructure that runs all services offered in Oracle Cloud Infrastructure. This infrastructure consists of the hardware, software, networking, and facilities that run Oracle Cloud Infrastructure services.
Your security responsibilities are described on this page, which include the following areas:
- Access Control: Limit privileges as much as possible. Users should be given only the access necessary to perform their work.
Initial Security Tasks
Use this checklist to identify the tasks you perform to secure Monitoring in a new Oracle Cloud Infrastructure tenancy.
Task | More Information |
---|---|
Use IAM policies to grant access to users and resources | IAM Policies |
Routine Security Tasks
After getting started with Monitoring, use this checklist to identify security tasks that we recommend you perform regularly.
Monitoring does not have any security tasks that you need to perform regularly.
IAM Policies
Use policies to limit access to Monitoring.
A policy specifies who can access Oracle Cloud Infrastructure resources and how. For more information, see How Policies Work.
Assign a group the least privileges that are required to perform their responsibilities. Each policy has a verb that describes what actions the group is allowed to do. From the least amount of access to the most, the available verbs are: inspect
, read
, use
, and manage
.
For more information about Monitoring policies, see Details for Health Checks.
Alarm Access for Groups
List Alarms and Alarm Status
Create this policy to allow a group to list alarms and list alarm statuses.
Allow group <group_name> to inspect alarms in tenancy
Get Alarm Details and History
Create this policy to allow a group to get alarm detailsand get alarm history. The read metrics
line is required for getting alarm history.
Allow group <group_name> to read alarms in tenancy
Allow group <group_name> to read metrics in tenancy
Manage Alarms
Create this policy to allow a group to manage alarms, using streams and existing topics for notifications. This policy doesn't allow creation of new topics.
To limit the group to the permissions required for selecting streams, replace
use streams
with {STREAM_READ, STREAM_PRODUCE}
.Allow group <group_name> to manage alarms in tenancy
Allow group <group_name> to read metrics in tenancy
Allow group <group_name> to use ons-topics in tenancy
Allow group <group_name> to use streams in tenancy
Manage Alarms and Create Topics
Create this policy to allow a group to manage alarms, including creating topics (and subscriptions) for notifications (and using streams for notifications).
To limit the group to the permissions required for selecting streams, replace
use streams
with {STREAM_READ, STREAM_PRODUCE}
.Allow group <group_name> to manage alarms in tenancy
Allow group <group_name> to read metrics in tenancy
Allow group <group_name> to manage ons-topics in tenancy
Allow group <group_name> to use streams in tenancy
Metric Access for Groups
List Metric Definitions
Create this policy to allow a group to list metric definitions in a compartment.
Allow group <group_name> to inspect metrics in compartment <compartment_name>
Query Metrics
Create this policy to allow a group to query metrics in a compartment.
Allow group <group_name> to read metrics in compartment <compartment_name>
Query Metrics for a Metric Namespace
Create this policy to allow a group to query metrics in a compartment, restricted to a metric namespace.
Allow group <group_name> to read metrics in compartment <compartment_name>
where target.metrics.namespace='<metric_namespace>'
Publish Custom Metrics
Create this policy to allow a group to publish custom metrics to a metric namespace, as well as view metric data, create alarms and topics, and use streams with alarms.
To limit the group to the permissions required for selecting streams, replace
use streams
with {STREAM_READ, STREAM_PRODUCE}
.Allow group <group_name> to use metrics in tenancy
where target.metrics.namespace=<metric_namespace>'
Allow group <group_name> to read metrics in tenancy
Allow group <group_name> to manage alarms in tenancy
Allow group <group_name> to manage ons-topics in tenancy
Allow group <group_name> to use streams in tenancy
Metric Access for Resources
If you want compute instances or other resources to monitor metrics through API calls, then do the following.
For more information about compute instances calling APIs, see Calling Services from an Instance.
-
Add the resources to a dynamic group using its matching rules.
-
Create a policy that allows that dynamic group to access metrics.
Allow dynamic-group <dynamic_group_name> to read metrics in tenancy
Cross-Tenancy Metric Access
Use cross-tenancy metric access to share metrics with another organization that has its own tenancy. For example, share metrics with another business unit in your company, a customer of your company, or a company that provides services to your company.
To access and share resources, the administrators of both tenancies need to create special policy statements that explicitly state the resources that can be accessed and shared. These special statements use the words Define, Endorse, and Admit. For more information about these statements, see Cross-Tenancy Access Policies.
Source Tenancy Policy Statements
The source and target tenancy administrators create policy statements that endorse a source IAM group allowed to manage resources in the destination tenancy.
Example: Endorse MetricsAdminsUserGroup
to do anything with any metric resource in any tenancy:
Endorse group MetricsAdminsUserGroup to manage metrics in any-tenancy
To write a policy that reduces the scope of tenancy access, the source administrator must reference the destination tenancy OCID provided by the destination administrator.
Example: Endorse MetricsAdminsUserGroup
to read metric resources in the destination tenancy (DestinationTenancy
) only:
Define tenancy DestinationTenancy as ocid1.tenancy.oc1..<unique_ID>
Endorse group MetricsAdminsUserGroupInSource to read metrics in tenancy DestinationTenancy
To allow a group to publish metrics to the destination tenancy, use the manage
verb:
Example: Endorse MetricsAdminsUserGroup
to manage metric resources in the destination tenancy (DestinationTenancy
) only:
Define tenancy DestinationTenancy as ocid1.tenancy.oc1..<unique_ID>
Endorse group MetricsAdminsUserGroupInSource to manage metrics in tenancy DestinationTenancy
Example: Endorse a dynamic group (MetricsAdminsDynamicGroup
) to read metric resources in the destination tenancy:
Define tenancy DestinationTenancy as ocid1.tenancy.oc1..<unique_ID>
Endorse dynamic-group MetricsAdminsDynamicGroup to read metrics in tenancy DestinationTenancy
Destination Tenancy Policy Statements
Example: Endorse MetricsAdminsUserGroup
in the source tenancy (MetricsAdminsUserGroupInSource
) to do anything with any metric resource in your tenancy:
Define tenancy SourceTenancy as ocid1.tenancy.oc1..<unique_ID>
Define group MetricsAdminsUserGroupInSource as ocid1.group.oc1..<unique_ID>
Admit group MetricsAdminsUserGroupInSource of tenancy SourceTenancy to manage metrics in tenancy
Example: Endorse MetricsAdminsUserGroup
in the source tenancy (MetricsAdminsUserGroupInSource
) to read metrics resources in the SharedMetrics
compartment only:
Define tenancy SourceTenancy as ocid1.tenancy.oc1..<unique_ID>
Define group MetricsAdminsUserGroupInSource as ocid1.group.oc1..<unique_ID>
Admit group MetricsAdminsUserGroupInSource of tenancy SourceTenancy to read metrics in compartment SharedMetrics
Example: Endorse a dynamic group (MetricsAdminsDynamicGroup
) in the source tenancy (MetricsAdminsDynamicGroupInSource
) to read metric resources in the SharedMetrics
compartment only:
Define tenancy SourceTenancy as ocid1.tenancy.oc1..<unique_ID>
Define dynamic-group MetricsAdminsDynamicGroupInSource as ocid1.dynamicgroup.oc1..<unique_ID>
Admit dynamic-group MetricsAdminsDynamicGroupInSource of tenancy SourceTenancy to read metrics in compartment SharedMetrics