OCI_Cloud_Guard構成

作成日: 2025年06月03日 / 最終更新日: 2025年06月26日

管理用のグループ/ユーザーを作成

とりあえずフル権限はこちら
https://docs.oracle.com/en-us/iaas/Content/cloud-guard/using/policies.htm

グループ作成
Identity & Security > Domains > (OracleIdentityCloudService) > User management タブ > Groups > Create group
- Name: cloudguard-admins
- Users: xxxxxxxxxxxxxxxxxxxxxx (既存の適当なユーザー)
ポリシー作成
Identity & Security > Policies > Create Policies
- Name: Policy_cloudguard-admins
- Compartment: zzzzzz(root)
- Statements:
```
allow group OracleIdentityCloudService/cloudguard-admins to manage cloud-guard-family in tenancy
```

→上記のフル権限与えたユーザーでCloud Guard有効化しようとしたけど権限エラーではじかれたのでテナンシーオーナーでやることにした

権限細かく分けたい場合も一応載っている。知りません。
https://docs.oracle.com/en-us/iaas/Content/cloud-guard/using/prerequisites.htm

You can find all the policies required to enable Cloud Guard in the Oracle Cloud Infrastructure Identity and Access Management (IAM) Common Policies topic. On that page, search for “Cloud Guard” and expand the four lists that you find.
For detailed information on individual Cloud Guard policies, see Cloud Guard Policies.

Cloud Guard 有効化

Cloud Guard はテナンシーレベルで作動し全リージョンが監視対象。
有効化時にReporting Regionを選択して、そこに監視データが集まってくる。

Identity & Security > Cloud Guard
Enable Cloud Guard

※どのリージョンでやっても同じっぽい。

以下のポリシーがCloudGuardPolicies という名前で自動で付与される
→CloudGuard Serviceが監視対象のリソースを触れる権限てことね。

allow service cloudguard to manage cloudevents-rules in tenancy where target.rule.type='managed'
allow service cloudguard to read vaults in tenancy
allow service cloudguard to read keys in tenancy
allow service cloudguard to read compartments in tenancy
allow service cloudguard to read tenancies in tenancy
allow service cloudguard to read audit-events in tenancy
allow service cloudguard to read compute-management-family in tenancy
allow service cloudguard to read instance-family in tenancy
allow service cloudguard to read virtual-network-family in tenancy
allow service cloudguard to read volume-family in tenancy
allow service cloudguard to read database-family in tenancy
allow service cloudguard to read object-family in tenancy
allow service cloudguard to read load-balancers in tenancy
allow service cloudguard to read users in tenancy
allow service cloudguard to read groups in tenancy
allow service cloudguard to read policies in tenancy
allow service cloudguard to read dynamic-groups in tenancy
allow service cloudguard to read authentication-policies in tenancy
allow service cloudguard to use network-security-groups in tenancy
allow service cloudguard to read data-safe-family in tenancy
allow service cloudguard to read autonomous-database-family in tenancy
allow service cloudguard to read log-groups in tenancy
Allow any-user to { WLP_BOM_READ } in tenancy where all { request.principal.id = target.agent.id, request.principal.type = 'workloadprotectionagent'}
Allow any-user to { WLP_CONFIG_READ } in tenancy where all { request.principal.id = target.agent.id, request.principal.type = 'workloadprotectionagent'}
Endorse any-user to { WLP_LOG_CREATE } in any-tenancy where all { request.principal.id = target.agent.id, request.principal.type = 'workloadprotectionagent' }
Endorse any-user to { WLP_METRICS_CREATE } in any-tenancy where all { request.principal.id = target.agent.id, request.principal.type = 'workloadprotectionagent' }
Endorse any-user to { WLP_ADHOC_QUERY_READ } in any-tenancy where all { request.principal.id = target.agent.id, request.principal.type = 'workloadprotectionagent' }
Endorse any-user to { WLP_ADHOC_RESULTS_CREATE } in any-tenancy where all { request.principal.id = target.agent.id, request.principal.type = 'workloadprotectionagent'}

Reporting RegionはTokyoでCompartmentはrootコンパートメントでDetectorは選ばずEnableする
※これ最初だけ画面が違った。オプションも違くなってる。Redwood対応って奴かな。