Best Practices on OCI Part 3: Logging & Monitoring

Here are some key recommendations for configuring logging and monitoring on Oracle Cloud Infrastructure –

1. Ensure audit log retention period is set to 365 days – Log retention controls how long activity logs should be retained. Studies have shown that The Mean Time to Detect(MTTD) a cyber breach is anywhere from 30 days in some sectors to up to 206 days in others. Retaining logs for at least 365 days or more will provide the ability to respond to incidents.
2. Ensure default tags are used on resources – In the case of an incident having default tags like “CreatedBy” applied will provide info on who created the resource without having to search the Audit logs.
3. Create at least one notification topic and subscription to receive monitoring alerts – Creating one or more notification topics allow administrators to be notified of relevant changes made to OCI infrastructure.
4. Ensure a notification is configured for Identity Provider changes – OCI Identity Providers allow management of User ID / passwords in external systems and use of those credentials to access OCI resources. Identity Providers allow users to single sign-on to OCI console and have other OCI credentials like API Keys. Monitoring and alerting on changes to Identity Providers will help in identifying changes to the security posture.
5. Ensure a notification is configured for IdP group mapping changes – IAM Policies govern access to all resources within an OCI Tenancy. IAM Policies use OCI Groups for assigning the privileges. Identity Provider Groups could be mapped to OCI Groups to assign privileges to federated users in OCI. Monitoring and alerting on changes to Identity Provider Group mappings will help in identifying changes to the security posture.
6. Ensure a notification is configured for IAM group changes – IAM Groups control access to all resources within an OCI Tenancy. Monitoring and alerting on changes to IAM Groups will help in identifying changes to satisfy least privilege principle.
7. Ensure a notification is configured for IAM policy changes – IAM Policies govern access to all resources within an OCI Tenancy. Monitoring and alerting on changes to IAM policies will help in identifying changes to the security posture.
8. Ensure a notification is configured for user changes – Users use or manage Oracle Cloud Infrastructure resources. Monitoring and alerting on changes to Users will help in identifying changes to the security posture.
9. Ensure a notification is configured for VCN changes – Virtual Cloud Networks (VCNs) closely resembles a traditional network. Monitoring and alerting on changes to VCNs will help in identifying changes to the security posture.
10. Ensure a notification is configured for changes to route tables – Route tables control traffic flowing to or from Virtual Cloud Networks and Subnets. Monitoring and alerting on changes to route tables will help in identifying changes these traffic flows.
11. Ensure a notification is configured for security list changes – Security Lists control traffic flowing into and out of Subnets within a Virtual Cloud Network. Monitoring and alerting on changes to Security Lists will help in identifying changes to these security controls.
12. Ensure a notification is configured for network security group changes – Network Security Groups control traffic flowing between Virtual Network Cards attached to Compute instances. Monitoring and alerting on changes to Network Security Groups will help in identifying changes these security controls.
13. Ensure a notification is configured for changes to network gateways – Network Gateways act as routers between VCNs and the Internet, Oracle Services Networks, other VCNS, and on-premise networks. Monitoring and alerting on changes to Network Gateways will help in identifying changes to the security posture.