Mondoo
Docs
CloudOracle Cloud

Secure an OCI Tenancy

Scan an Oracle Cloud Infrastructure tenancy against security and compliance best practices with cnspec.

Scan your Oracle Cloud Infrastructure (OCI) tenancy to find security risks before they become incidents. cnspec evaluates tenancy-level settings such as user MFA enrollment, audit log retention periods, identity policy statements, VCN security lists, and Object Storage bucket access. All you need is your existing OCI CLI configuration.

Prerequisites

To scan OCI with cnspec, you must have:

Authenticate

cnspec uses the OCI CLI configuration to authenticate. Generate an API key in the OCI Console, then create a config file that points cnspec at it.

Step 1: Generate an API key

  1. In the top-right corner of the Oracle Cloud Infrastructure Console, select your profile icon and select My profile.

    OCI profile menu

  2. Under Resources, select API keys.

    OCI API keys

  3. Select Add API key.

    Add OCI API key

  4. Leave Generate API key pair selected, then select Download private key.

  5. Create a ~/.oci/ directory on your workstation and move the downloaded private key file into it.

Step 2: Create the config file

  1. Select Add. OCI generates a config file for you. Copy the contents of the Configuration file preview box.

    OCI config preview

  2. In the ~/.oci/ directory, create a file named config and paste the content you copied. Replace the key_file placeholder on the last line with the path to your private key file.

    [DEFAULT]
user=ocid1.user.oc1..aaaaaaaavixjk7guncl6q7jf663vyeygprgjtgg5yiesxpwx4i6m6r23xmna
fingerprint=c9:1d:c8:e1:54:26:b7:82:2c:7d:b5:be:0a:62:b7:b8
tenancy=ocid1.tenancy.oc1..aaaaaaaabnjfuyr73mmvv6ep7heu57576abelhju5ni333c6rrfqiu6q6joq
region=us-ashburn-1
key_file=~/.oci/oci_api_key.pem

Verify with a quick OCI check

Confirm that cnspec can reach your OCI environment:

cnspec run oci -c 'oci.tenancy.name != empty'

If cnspec connects, it returns the tenancy name and confirms the check passed:

[ok] value: "my-tenancy"

If the command fails, verify that your ~/.oci/config file is configured correctly.

Scan OCI

To scan your OCI tenancy:

cnspec scan oci

cnspec automatically applies all enabled policies that are applicable to OCI. Enable the Mondoo Oracle Cloud Infrastructure (OCI) Security policy to assess identity management, networking, logging, storage, and more. To learn how to enable policies, read Manage Policies.

Open source cnspec users can find this policy in the cnspec GitHub repository and scan with a local copy or directly from a URL using --policy-bundle:

cnspec scan oci --policy-bundle mondoo-oracle-cloud-infrastructure-foundation-level-1.mql.yaml

Understand scan output

When a scan completes, cnspec prints a summary of all the checks it ran, grouped by policy. Each check shows a pass or fail result. For example:

✓ Pass:  Ensure MFA is enabled for all users with a console password
✕ Fail:  Ensure audit log retention period is set to 365 days
✓ Pass:  Ensure default security list of every VCN restricts all traffic

At the end of the output, cnspec shows a risk score from 0 (no risk) to 100 (highest risk). Failed checks include remediation guidance to help you fix issues.

Explore and test checks interactively

Open a cnspec shell to discover resources and try out checks:

cnspec shell oci

Ensure MFA is enabled for all users

cnspec> oci.identity.users.all( mfaActivated )
[failed] [].all()
  actual:   [
    0: oci.identity.user {
      name: "mwezi@lunalectric.com"
      mfaActivated: false
    }
    1: oci.identity.user {
      name: "stella@lunalectric.com"
      mfaActivated: false
    }
  ]

Ensure audit log retention is set to 365 days

cnspec> oci.tenancy.retentionPeriod == 365 * time.day
[ok] value: true

Ensure no Object Storage buckets are publicly accessible

cnspec> oci.objectStorage.buckets.all( publicAccessType == "NoPublicAccess" )
[ok] value: true

Ensure Object Storage buckets have versioning enabled

cnspec> oci.objectStorage.buckets.all( versioning == "Enabled" )
[failed] [].all()
  actual:   [
    0: oci.objectStorage.bucket {
      name: "backup-data"
      versioning: "Disabled"
    }
  ]

List identity policies and their statements

cnspec> oci.identity.policies { name statements }
oci.identity.policies: [
  0: {
    name: "admin-policy"
    statements: ["Allow group Administrators to manage all-resources in tenancy"]
  }
]

Ensure Object Storage buckets have event notifications enabled

cnspec> oci.objectStorage.buckets.all( objectEventsEnabled == true )
[ok] value: true

Learn more

Overview

Secure your Oracle Cloud Infrastructure environment by scanning for vulnerabilities and misconfigurations with cnspec.

OpenStack

Scan OpenStack projects against security and compliance best practices with cnspec.

On this page

PrerequisitesAuthenticateStep 1: Generate an API keyStep 2: Create the config fileVerify with a quick OCI checkScan OCIUnderstand scan outputExplore and test checks interactivelyEnsure MFA is enabled for all usersEnsure audit log retention is set to 365 daysEnsure no Object Storage buckets are publicly accessibleEnsure Object Storage buckets have versioning enabledList identity policies and their statementsEnsure Object Storage buckets have event notifications enabledLearn more