- The CIS compliance checking script is not impacted. Users should continue using it to determine tenancy compliance with the CIS OCI Foundations Benchmark.
- Users looking for a deployment experience similar to CIS Landing Zone should now use OCI Core Landing Zone, where the same features are available. OCI Core Landing Zone evolves CIS Landing Zone and complies with CIS OCI Foundations Benchmark.
- Users looking for a deployment experience based on fully declarable and customizable templates should use the Operating Entities Landing Zone or the OCI Landing Zones Modules in the OCI Landing Zones GitHub organization.
Overview
The OCI CIS Landing Zone has been updated to align with the CIS OCI Benchmark 1.2.0. To learn more about the changes to the Benchmark check out this blog. For the Landing Zone there were enhancements to the Compliance Checking script and Terraform configuration.
Compliance Checking Script Updates
CIS OCI Benchmark 1.2.0 adds nine new recommendations, including recommendations on five additional OCI services. To align with the update, the script added nine additional checks and service collectors for Oracle Integration Cloud (OIC), Oracle Analytics Cloud (OAC), Autonomous Databases Shared (ADB-S), Boot Volumes, Block Volumes, File Storage Service, and IAM Dynamic Groups.
In addition, there have been a few small enhancements:
- The summary report includes a column `CIS v8` which maps the recommendation back to the CIS v8 framework.
- The summary report includes a column `CCCS Guard Rail` that maps the recommendation to the Canadian Centre for Cyber Security Guard Rails.
- There is a new argument `–level` to specify whether you want Level 1 only findings or Level 1 and Level 2 findings. The default returns Level 1 and Level 2 findings.
- Recommendations relating to IAM are only run in the Home Region to reduce duplication in other regions.
To learn about these changes and how to use the script checkout the updated compliance-script.md!
Landing Zone Terraform Configuration Updates
The changes for the Terraform configuration were to Object Storage and OCI IAM groups and policies.
The Object Storage module was updated to ensure the bucket created has object versioning enable to align with recommendation 4.1.3 which states “Ensure versioning is Enabled for Object Storage Buckets”. To learn more about Object Storage versioning review the Using Object Versioning documentation.
The OCI IAM updates were focused on the implementation of recommendation 1.14 that states “Ensure storage service-level admins cannot delete resources they manage” for separation of duties. To implement this, a new group for storage management was created. The group is entitled to delete OCI Storage resources across Landing Zone compartments. Our recommendation for using this group is to place users in it when they must delete an OCI Storage resource and then remove their access once that resource is deleted.
Next Steps
To get started running the compliance checking script on your tenancy or deploying the updated Terraform go to: https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart.