Key Features of OCI IAM:

Users and Groups: IAM allows you to create individual users and groups to manage access to your OCI resources. Users are individual identities that can be assigned to specific roles and groups. Groups are a collection of users that share common access requirements.

Policies: IAM uses policies to define permissions and access controls. Policies are sets of rules that determine what actions can be performed on specific resources. You can attach policies to groups or individual users to grant or restrict access to various OCI services.

Compartments: Compartments are logical containers that help you organize and isolate your cloud resources. IAM allows you to create compartments and assign permissions at the compartment level, providing a hierarchical structure for managing access.

Service Clients and API Keys: IAM supports the creation of service clients and API keys. Service clients are used to authenticate applications and services that need programmatic access to OCI resources. API keys are used to authenticate users or service clients when making API calls.

Federation: IAM supports identity federation, allowing you to integrate your existing identity management systems with OCI. This enables users to sign in to OCI using their existing corporate credentials.

Multi-factor Authentication (MFA): IAM provides built-in support for multi-factor authentication, enhancing the security of user accounts by requiring an additional form of verification during login.

Audit and Monitoring: IAM provides detailed audit logs and monitoring capabilities, allowing you to track user activity, changes to policies, and other relevant events within your OCI environment.

OCI IAM (Oracle Cloud Infrastructure Identity and Access Management) provides a comprehensive solution for integrating with OCI IaaS, PaaS, and SaaS solutions, as well as other third-party applications. It serves as an Identity Provider (IDP) that can be utilized alongside other services acting as Service Providers (SP). OCI IAM supports the usage of SAML (Security Assertion Markup Language) and OIDC (OpenID Connect) SSO (Single Sign-On) protocols.

With OCI IAM, you can synchronize users from various external identity sources like Microsoft Active Directory (MS AD), Azure AD, and others. This synchronization ensures that user identities and access rights are consistent across different systems and applications.

Additionally, OCI's Application Gateway can be used in conjunction with OCI IAM and other applications such as JDE (JD Edwards) and E-Business Suite. This integration allows for header-based authentication, where the Application Gateway validates the user's access based on the authentication information contained in the headers of the incoming requests.

In summary, OCI IAM offers a versatile solution for integrating with OCI services, third-party applications, and external identity sources. By leveraging SAML and OIDC SSO protocols, you can establish a seamless and secure authentication experience for users across different systems. The combination of OCI IAM and Application Gateway enables efficient and reliable authentication for applications like JDE and E-Business Suite using header-based mechanisms.

Ensure audit log retention period is set to 365 days

OCI will have a log retention period set to 365 days by default.

You can easily verify the default log retention period in Oracle Cloud Infrastructure (OCI) using the OCI Cloud Shell.

oci audit config get -- compartment-id <Tenancy OCID> either Tenancy OCID or root compartment OCID

Create at least one notification topic and subscription to receive monitoring alerts

OCI Notification Topics and Subscriptions provide a centralized and flexible framework for managing and delivering monitoring alerts

oci ons subscription list -- compartment-id <compartment OCID> -- topic-id <topic OCID> — all, Use respective OCIDs

Ensure a notification is configured for Identity Provider changes

It helps ensure the security and integrity of the authentication process within your OCI tenancy.

Notifications for Identity Provider changes in OCI play a crucial role in maintaining the security, compliance, and operational integrity of your cloud environment. They enable you to stay informed about any modifications to the authentication process and take timely actions to ensure the protection of your OCI resources and data.

Ensure a notification is configured for IdP group mapping changes

By enabling notifications for IdP group mapping changes, you can enhance the security, compliance, user experience, troubleshooting capabilities, and change management processes within your OCI environment. It enables you to stay informed about modifications made to group mappings and take appropriate actions to maintain a secure and well-managed cloud environment.

Ensure a notification is configured for IAM group changes

Notifications for IAM group changes in OCI play a vital role in access management, security, compliance, operational efficiency, and change management. They help you stay informed about modifications to group memberships, permissions, and policies, allowing you to maintain proper access controls, address security risks, comply with regulations, optimize operational workflows, and enforce change management practices.

Ensure a notification is configured for IAM policy changes

By enabling notifications for IAM policy changes in OCI, you can enhance access control, security, compliance, operational efficiency, and change management processes. They help you stay informed about modifications to policies, allowing you to maintain proper access controls, address security risks, comply with regulations, optimize operational workflows, and enforce change management practices effectively.

Ensure a notification is configured for user changes

Notifications for user changes in OCI play a vital role in security, access management, compliance, operational efficiency, and change management. They help you stay informed about modifications to user accounts, ensuring proper access controls, addressing security risks, complying with regulations, optimizing operational workflows, and enforcing change management practices effectively.

Ensure a notification is configured for VCN changes

By enabling notifications for VCN changes in OCI, you can enhance network security, compliance, network performance, change management processes, and operational awareness. They help you stay informed about modifications to the VCN configuration, allowing you to maintain proper network controls, address security risks, comply with regulations, optimize network performance, and enforce change management practices effectively.

Ensure a notification is configured for changes to route tables

By enabling notifications for changes to route tables in OCI, you can enhance network connectivity, security, optimization, change management processes, troubleshooting capabilities, and auditing. They help you stay informed about modifications to route tables, allowing you to maintain proper network controls, address security risks, optimize network performance, enforce change management practices, troubleshoot network issues, and support compliance and auditing requirements effectively

Ensure a notification is configured for security list changes

Enabling notifications for security list changes in OCI, you can enhance network security, access control, compliance, network performance, change management processes, and incident response capabilities. They help you stay informed about modifications to security lists, allowing you to maintain proper network security controls, address security risks, comply with regulations, optimize network performance, enforce change management practices, and respond to security incidents effectively.

Ensure a notification is configured for network security group changes

Enabling notifications for NSG changes in OCI, you can enhance network security, access control, compliance, network performance, change management processes, and incident response capabilities. They help you stay informed about modifications to NSGs, allowing you to maintain proper network security controls, address security risks, comply with regulations, optimize network performance, enforce change management practices, and respond to security incidents effectively.

Ensure a notification is configured for changes to network gateways

Enabling notifications for changes to network gateways in OCI, you can enhance network connectivity, security, network routing, change management processes, troubleshooting capabilities, and auditing. They help you stay informed about modifications to network gateways, allowing you to maintain proper network controls, address security risks, optimize network performance, enforce change management practices, troubleshoot network issues, and support compliance and auditing requirements effectively.

Ensure VCN flow logging is enabled for all subnets

By enabling VCN flow logging for all subnets in OCI, you gain enhanced network visibility, security monitoring capabilities, compliance support, incident response capabilities, performance optimization insights, and forensic analysis capabilities. It allows you to proactively monitor and secure your network, detect and respond to security incidents, meet compliance requirements, optimize network performance, and conduct thorough forensic investigations when needed.

Ensure Cloud Guard is enabled in the root compartment of the tenancy

By enabling Cloud Guard in the root compartment of your tenancy, you gain centralized security monitoring, threat detection and response capabilities, automated security assessments, incident remediation and automation, compliance and governance support, and real-time security monitoring. It helps you maintain a consistent and proactive security posture across your entire OCI environment and improves your ability to detect, respond to, and mitigate security risks and incidents.

Ensure customer created Customer Managed Key (CMK) is rotated at least annually

By rotating customer-created CMKs at least annually in OCI, you adhere to security best practices, meet compliance requirements, ensure robust key lifecycle management, enhance incident response capabilities, promote good key management practices, and minimize cryptographic vulnerabilities. Regular key rotation helps maintain a strong security posture, protects sensitive data, and reduces the risk of unauthorized access or compromise of encryption keys.

Ensure read and write level Object Storage logging is enabled for all buckets

Enabling read and write-level Object Storage logging for all buckets in OCI, you establish an audit trail, enforce data governance, enhance security monitoring, support incident response and forensic investigations, meet compliance requirements, and optimize performance and resource utilization. It allows you to maintain data integrity, detect and respond to security incidents, demonstrate compliance, and make informed decisions for efficient data management.

Ensure notification enabled whenever automatic boot and block volume backup fails

Enabling notifications for automatic boot and block volume backup failures in OCI, you ensure data protection, enable proactive monitoring, facilitate timely issue resolution, enhance operational efficiency, meet compliance requirements, and drive continuous improvement in your backup processes. It helps you maintain the integrity and availability of your critical data and enables faster recovery in case of data loss or system failures

Ensure notification enabled whenever automatic EXACS/DBCS Database backup fails

Enabling notifications for automatic EXACS database backup failures in OCI, you ensure data protection and operational continuity, meet compliance requirements, facilitate proactive monitoring, enable timely troubleshooting and issue resolution, and optimize backup performance. It helps you maintain the integrity of your EXACS databases, reduce downtime, and enhance your ability to recover data in case of any unforeseen events or failures