Prerequisites

Perform these tasks before you enable Oracle Cloud Guard.

Note

Cloud Guard is not available for free Oracle Cloud Infrastructure tenancies. Before you attempt to enable Cloud Guard, ensure that:

You have a paid tenancy.
Your tenancy account type is one of these:
- default_dbaas
- enterprise_dbaas
- enterprise

Creating the Cloud Guard User Group

To allow users to work with Cloud Guard, create a user group with administrator privileges.

Cloud Guard deals with security information globally and should be available to a restricted audience.

Log in to the Oracle Cloud Infrastructure console as a tenancy administrator.
Open the navigation menu and click Identity & Security. Under Identity, click Groups.
Click Create Group.
Fill in the required fields and then click Create.
Provide a name that clearly identifies the group, such as CloudGuardUsers. Avoid entering confidential information.

What's Next

Add Cloud Guard users to the group you created.

If you plan to use an identity provider (IdP), such as Oracle Identity Cloud Service, for federated authentication of users, you must map the Identity Provider Group to the OCI IAM Group you created. See Managing Oracle Identity Cloud Service Users in the Console for steps to follow for Oracle Identity Cloud Service.

Policy Statements for Users

Add a policy statement that enables the Cloud Guard users group you defined to manage Cloud Guard resources.

Note

You can find all the policies required to enable Cloud Guard in the Oracle Cloud Infrastructure Identity and Access Management (IAM) Common Policies topic. On that page, search for "Cloud Guard" and expand the four lists that you find.

For detailed information on individual Cloud Guard policies, see Cloud Guard Policies.

To manage Cloud Guard resources, add the policy following statement to enable all users in the CloudGuardUsers group. Substitute the name you assigned to the group, if you did not name it CloudGuardUsers.

allow group <identity_domain_name>/CloudGuardUsers to manage cloud-guard-family in tenancy

If the Cloud Guard users group is not in the default identity domain, you must include the <identity_domain_name>, followed by a forward slash ("/"), before the group name:

allow group <identity_domain_name>/CloudGuardUsers to manage cloud-guard-family in tenancy

With this policy in place, users that you add to the Cloud Guard users group are now ready to proceed with Enabling Cloud Guard.

Note

If for some reason you choose not to add the exact policy statement above, you must add the following policy statement as a minimum requirement to allow users to access Cloud Guard:

allow group CloudGuardUsers to use cloud-guard-config in tenancy

If the Cloud Guard users group is not in the default identity domain, you must include the <identity_domain_name>, followed by a forward slash ("/"), before the group name:

allow group <identity_domain_name>/CloudGuardUsers to use cloud-guard-config in tenancy

Permissions and Corresponding IAM Policies

Based on typical security functions that might exist in an organization, Cloud Guard supports the following administrator roles. Each role has corresponding IAM resource names, and policies that you can use to control access to Cloud Guard functions.


Administrator Role	Cloud Guard Functions	IAM Permissions Resources	Accessible Functions
Service Owner (Root or Super Admin)	Enable Cloud Guard Create IAM groups and policies	cloud-guard-family	Manage cloud-guard-family in tenancy
Security Architect (Security Analyst)	Clone detector recipes Manage detectors Assign detectors recipes to targets Read/manage problems and problem scores and other metrics	cloud-guard-detectors cloud-guard-targets cloud-guard-detector-recipes cloud-guard-responder-recipes cloud-guard-managed-lists cloud-guard-problems cloud-guard-risk-scores cloud-guard-security-scores	Manage/Inspect/Read* these resources in tenancy/compartment
Security Operations Admin	Manage, Inspect, or Read* Cloud Guard problems	cloud-guard-problems	Manage/Inspect/Read* Cloud Guard problems

* Read vs. Inspect: Read allows viewing details of problems that are listed; Inspect only allows viewing the problems list. Read is a superset of Inspect.

Caution

Ensure that only the root administrator can delete targets.

Sample Policy Use Cases

The use cases listed in the following table to provide examples of administrator roles and IAM policies you could configure to support them.


Use Case	Minimum Required Policies	Allowed, Disallowed Functions	Permissions	Auth.
Read-only access to Cloud Guard data and configuration for all compartments	Admin can create a special group like cgreadgroup, add users to this group, and then add these policies: `allow group cgreadgroup to read cloud-guard-family in tenancy` `allow group cgreadgroup to read compartments in tenancy`	Allowed: read Overview, Problems, Detectors, Targets, and Responder Activity pages. Disallowed: edit or clone detector recipes. create targets, delete recipes from targets, and create managed lists.	Overview Page - Read:	Yes
			Problems - Read:	Yes
			Problems - Manage:	No
			Problems - Remediate:	No
			Targets - Read:	Yes
			Targets - Manage:	No
			Detectors Recipes/Rules - Read:	Yes
			Detectors Recipes/Rules - Manage:	No
			Responder Activity - Read:	Yes
Read-only access to Cloud Guard data and configuration for one compartment	Admin can create a special group like `cggroupcomptonly`, add users to this group. then add these policies ('OCIDemo' is the name of the compartment here): `allow group cggroupcomptonly to read compartments in tenancy where target.compartment.name = 'OCIDemo'` `allow group cggroupcomptonly to read cloud-guard-family in compartment OCIDemo` `allow group cggroupcomptonly to inspect cloud-guard-config in tenancy`	Allowed: read data only for specified compartment, on Overview, Problems, Detectors, and Targets pages. Disallowed: read those pages showing data for other compartments.	Overview Page - Read:	Yes
			Problems - Read:	Yes
			Problems - Manage:	No
			Problems - Remediate:	No
			Targets - Read:	Yes
			Targets - Manage:	No
			Detectors Recipes and Rules - Read:	Yes
			Detectors Recipes and Rules - Manage:	No
			Responder Activity - Read:	Yes
Read-only access to Cloud Guard detector recipes	Admin can create a special group like cgreaddetrecipes, add users to this group, then add these policies: `allow group cgreaddetrecipes to read cloud-guard-detector-recipes in tenancy` `allow group cgreaddetrecipes to read compartments in tenancy` `allow group cgreaddetrecipes to inspect cloud-guard-config in tenancy`	Allowed: read pages for detector recipes and rules. Disallowed: clone or delete recipes. Manage rules for a recipe, view pages outside of Detectors and Responders.	Overview Page - Read:	No
			Problems - Read:	No
			Problems - Manage:	No
			Problems - Remediate:	No
			Targets - Read:	No
			Targets - Manage:	No
			Detectors Recipes and Rules - Read:	Yes
			Detectors Recipes and Rules - Manage:	No
			Responder Activity - Read:	No
Read-only access to Cloud Guard problems, excluding Security Score and Risk Score	Admin can create a special group like cgreadproblems, add users to this group, then add these policies: `allow group cgreadproblems to read cloud-guard-problems in tenancy` `allow group cgreadproblems to read compartments in tenancy` `allow group cgreadproblems to inspect cloud-guard-config in tenancy`	Allowed on Overview page, view: Problems Snapshot Problems Grouped by... User Activity Problems New Problems Trendline Disallowed on Overview page, access to: Security Score Risk Score Security Recommendations Responder Status Security Score Trendline Remediation Trendline Access to all other pages is also disallowed.	Overview Page - Read: (limited to Problems Snapshot, Problems Grouped by..., User Activity Problems, and New Problems Trendline)	Yes
			Problems - Read:	No
			Problems - Manage:	No
			Problems - Remediate:	No
			Targets - Read:	No
			Targets - Manage:	No
			Detectors Recipes and Rules - Read:	No
			Detectors Recipes and Rules - Manage:	No
			Responder Activity - Read:	No
Read-only access to Cloud Guard problems, including Security Score and Risk Score	Admin can create a special group of users as in the preceding row, with policies detailed there, then add these policies: `allow group cgreadproblems to inspect cloud-guard-risk-scores in tenancy` `allow group cgreadproblems to inspect cloud-guard-security-scores in tenancy`	Allowed on Overview page, view: Security Score Risk Score Problems Snapshot Problems Grouped by... User Activity Problems New Problems Trendline Disallowed on Overview page, access to: Security Recommendations Responder Status Security Score Trendline Remediation Trendline Access to all other pages is also disallowed.	Overview Page - Read: (limited to Security Score, Risk Score, Problems Snapshot, Problems Grouped by..., User Activity Problems, and New Problems Trendline)	Yes
			Problems - Read:	No
			Problems - Manage:	No
			Problems - Remediate:	No
			Targets - Read:	No
			Targets - Manage:	No
			Detectors Recipes and Rules - Read:	No
			Detectors Recipes and Rules - Manage:	No
			Responder Activity - Read:	No

Cloud Guard Permissions Reference

The following table summarizes the Cloud Guard permissions that are available.


Permission	Purpose	Required Scope	Notes
cloud-guard-family	Collects of all the permissions that exist for Cloud Guard into a single permission. Using any of the meta-verbs `inspect`, `read`, `use`, and `manage` for this grants the same privileges for all other permissions. Use this permission with caution.	tenancy or compartment	Common permission name for all the permissions.
cloud-guard-detectors	No longer needed. Static data is available without authorization.	NA	Not being used from console.
cloud-guard-targets	Required to view and manage target data for the compartment or tenancy. The `inspect` meta-verb is needed to minimally populate the selection list for filtering problems. It can be scoped either to tenancy or to one or multiple compartments. The `read` meta-verb gives the privilege to view the target configuration. The `use` meta-verb is required to update any previously created target. The `manage` meta-verb is required to manage lifecycle of target. Recommended: Scope this permission to compartment to allow user to perform operations only within that compartment.	tenancy or compartment	The data is used in Targets page and also to populate drop-down field to filter Problems page.
cloud-guard-config	Required to view Cloud Guard configuration for tenancy. Without this permission, users can't view Overview and other Cloud Guard pages. They are redirected to the Cloud Guard Enable page. The `inspect` meta-verb to be able to view cloud guard enablement status along with configured reporting region details. The `use` or `manage` meta-verbs should be restricted to users that need to have capabilities to enable or disable cloud guard.	tenancy	This data is used to identify Cloud Guard status and reporting region details. All subsequent calls from console are redirected to reporting region for performing CRUDL operations. The configured reporting region is displayed on the Settings page.
cloud-guard-managed-lists	Required to view and manage the managed list data for the compartment or tenancy. The `inspect` meta-verb is required at tenancy scope if users need to clone Oracle-managed lists that exist in root compartment. The `read` meta-verb is required to view a managed list configuration and to associate the managed list with conditional group, or with settings that exist in target, detector recipe, or responder recipe. If managed list exists in tenancy scope, then policy should be scoped at tenancy; if managed list exists in compartment, then policy should be scoped to compartment. The `use` meta-verb provides more capabilities on top of `read`, to modify existing managed list to which they already have read access. The `manage` meta-verb is required to create a new managed list, and to manage the lifecycle of customer created managed lists.	tenancy or compartment	The data is used in Managed Lists page and also to populate the values associating a managed list with conditional groups or settings that exist in targets, detector recipes, or responder recipes.
cloud-guard-problems	Required to view and perform actions on problems that exist in compartment or tenancy. The `inspect` meta-verb is required to display data in the Overview page, and also to list the problems on the Problems page. It can be scoped to tenancy, where problems identified for all compartments are visible. Or it can be scoped to a compartment to restrict access to problems for the specific compartment. If the intent is to view problem details, then the `read` meta-verb is required. The `use` or `manage` meta-verbs should be added to the policy if the user can take actions on problems such as "Mark as Resolved," "Dismiss," or "Remediate" on single or multiple problems.	tenancy or compartment	The data is used on the Problems page, and also on the Overview page to populate these panels: Problems Snapshot User Activity Problems Problems Grouped by... New Problems Trendline The overview page minimally requires the `inspect` meta-verb to display the panels.
cloud-guard-detector-recipes	Required to view and manage detector recipe data for the compartment or tenancy. If users need to clone Oracle-managed recipes that exist in root compartment, the `inspect` meta-verb is required at tenancy scope. The `read` meta-verb is required to view a recipe configuration and to attach recipes to a target. If recipes exist in tenancy scope, then policy should be scoped at tenancy; if recipes exist in compartment, then policy should be scoped to compartment. The `use` meta-verb provides more capabilities to modify conditional groups and other settings in existing recipes for which users already have read access. The `manage` meta-verb is required to clone a recipe and to manage the lifecycle of cloned recipes.	tenancy or compartment	The data is used on Detector Recipes page and also to populate the selection list used when attaching the detector recipe to a target.
cloud-guard-responder-recipes	Required to view and manage responder recipe data for the compartment or tenancy. If users need to clone Oracle-managed recipes that exist in root compartment, the `inspect` meta-verb is required at tenancy scope. The `read` meta-verb is required to view a recipe configuration and to attach a recipe to a target. If recipes exist in tenancy scope, then policy should be scoped at tenancy; if recipes exist in compartment, then policy should be scoped to compartment. The `use` meta-verb provides more capabilities to modify conditional groups and other settings in existing recipes for which they already have read access. The `manage` meta-verb is needed to clone a recipe and manage the lifecycle of cloned recipes.	tenancy or compartment	The data is used on Responder Recipes" page and also to populate the selection list when attaching a responder recipe to a target.
cloud-guard-responder-executions	Required to view and manage responder activity data for the compartment or tenancy. The `inspect` meta-verb is minimal requirement to populate data in Overview page and Responder Activity pages. The `read` meta-verb is required to view specific responder activity data. Not required from console. The `use` or `manage` meta-verbs are required to perform actions like "Skip" or "Execute" on specific responder activity, or to "Skip" execution for multiple responder activities.	tenancy or compartment	The `inspect` meta-verb: This data is used to populate Responder Status panel and Remediation Trendline on Overview page. This data is also used on Responder Activity page. The `read` meta-verb: Not required for console. The `use` or `manage` meta-verbs: Required for skip and execute actions on specific responder activity, or to perform bulk skip for multiple responder activities.
cloud-guard-recommendations	Required to view recommendations that improve risk score and security score associated with the tenancy. The `inspect` meta-verb is the minimal requirement.	tenancy or compartment	This data is visible in Overview page in Security Recommendations panel.
cloud-guard-user-preferences	Required to manage user-preferences for Cloud Guard console. Currently used to manage status of guided tour for logged-in user. Saving the user preference skips prompt to complete the guided tour in subsequent logins. The `inspect` meta-verb is the minimal requirement to get current user's preference. The `use` or `manage` meta-verb must be used to also persist the preference.	tenancy	This data is visible in Guided Tour section of Settings page.
cloud-guard-risk-scores	Required to view risk score data for the tenancy. Without this permission, the users can't view risk score associated with the tenancy. The `inspect` meta-verb is the minimal requirement.	tenancy	This data is visible on Overview page in Risk Score panel.
cloud-guard-security-scores	Required to view security score rating for the tenancy. Without this permission, users can't view security score associated with tenancy. The `inspect` meta-verb is the minimal requirement.	tenancy	This data is visible on Overview page, in Security Score Rating and Security Score Trendline.

Oracle Cloud Infrastructure Documentation Try Free Tier

Prerequisites

Creating the Cloud Guard User Group 🔗

Policy Statements for Users 🔗

Oracle Cloud Infrastructure Documentation
Try Free Tier

Creating the Cloud Guard User Group

Policy Statements for Users