OCI Cloud Security Associate - quick reference guide

-

In this quick post, we will go through the important concepts.


Security Introduction

  • We use Patch management software to centrally distribute and monitor the patch level of systems throughout the enterprise
  • Zero Trust architecture is based on the principle of “never trust, always verify”
  • When we go with PaaS service, then Data is Customer's responsibility under Shared Responsibility Model.
  • Security Information and Event Management (SIEM) can automatically collect and aggregate log data generated throughout your organization's infrastructure, analyze it, and send alerts if it detects a deviation from the norm.
  • Web Application Firewall (WAF) are designed to protect against web application attacks, such as SQL injection and cross-site scripting


Identity and Access Management

  • If You want to make API calls against other OCI services from your instance without configuring user credentials. then it can be achieved by "creating a dynamic group and add a policy".
  • If You create a new compartment, "apps," to host some production apps and you create an apps_group and added users to it. To ensure that the users have access to the apps compartment, then you need to "Add an IAM policy for apps_group granting access to the apps compartment"
  • Compartments options helps us to set Oracle Cloud Infrastructure Budget.
  • Policies helps us to make Oracle Cloud Infrastructure Identity and Access Management govern resources in a tenancy.
  • Policies is a part of the OCI Identity and Access Management service.


Infrastructure Security - Network

  • Inherent policies applies immediately if we move a resource from one compartment to another.
  • With the use of Update Shape workflows, we can convert a fixed load balancer to a flexible load balancer.
  • Bastion service provides restricted access to target resources in Oracle Cloud.
  • By using the Network Visualizer tool we can get the information of Interconnectivity of VCNs.
  • We need to configure Listner, for a load balancer to accept incoming traffic.


Infrastructure Security - Compute

  • "Windows Servers that does not have the minimum agent version requires an agent update or installation" statement is true about using custom BYOI instances in Windows Servers that are managed by OS Management Service.
  • OS Management Service Increases security and reliability by regular bug fixes.
  • "Add applications to network security groups for fine-grained ingress/egress rules" is the security recommendations and best practices for Oracle Functions.
  • Manual scaling can be performed on a dedicated virtual machine host.


Data and Database Security

  • Boot volume contains the image used to boot a compute instance.
  • Standard Storage is most effective when you want to move some unstructured data, consisting of images and videos, to cloud storage.
  • "All the traffic to and from object storage is encrypted by using Transport Layer Security" statement is true about Oracle Cloud Infrastructure (OCI) Object Storage server-side encryption.
  • file storage uses NFSv3 file system.
  • Vault service lets us centrally manage the encryption keys that protect your data and the secret credentials that we use to securely access resources in OCI cloud.


Application Security

  • Web Application Firewall policy encompasses the overall configuration of your WAF service on OCI.
  • Protection rules must be configured in WAF service to allow, block, or log network requests when they meet specified criteria.
  • JavaScript challenge is generally the first level of bot mitigation, but not sufficient with more advanced bot tools.
  • In WAF, Multiple origins can be defined but only a single origin can be active.


Cloud Security Posture Management

  • Tenant can disable rules and customize them in User-managed detector recipe.
  • Service Owner (Root) role can manage cloud-guard-family in a tenancy.
  • In Cloud Security Posture, Problems are created when Cloud Guard discovers a deviation from a responder rule.
  • In Cloud Guard, Detectors identify issues with resources or user actions and alerts you when an issue is found.
  • Cloud Guard re-open an issue and update the history If it detects an issue for a previously resolved configuration problem.


Security Operations

  • Header is included in audit log event.
  • Logs are stored in OCI Object Storage.
  • 30 days is the minimum active storage duration for logs used by Logging Analytics to be archived.
  • Event Services, Logging and Logging Analytics are part of Observability and Management Services.
  • Service Connector Hub helps to move logging data to other services, such as archiving log data in object storage.


Regulatory Compliance

  • Attestation, Bridge letter and Certificate are considered as compliance document in OCI cloud.
  • API calls audited and available for 90 days.
  • Standards are a result of a regulation or contractual requirement or an industry requirement.
  • Data encryption protects customer data at rest and in transit in a way that allows customers to meet their security and compliance requirements for cryptographic algorithms and key management.
  • Organizations that provide global cloud services must comply with the legal requirements that operate in countries where they do business.


I am still working on writing more important point related to this guide....so stay tuned














Comments

Post a Comment

Popular posts from this blog

Free Courses - Git & GitHub (DevOps)

-
Image
 New to DevOps? Fast-track your DevOps with FREE Git & GitHub courses! 1. Intro to Git 2. Make your GitHub Profile stand out 3. Git & GitHub Crash Course: Create a Repository From Scratch! 4. Git: Become an Expert in Git & GitHub in 4 Hours Bonus: Free Courses : Kubernetes (Enroll Now) If you find this post helpful then you can connect with me for such quick contents: YouTube:  https://www.youtube.com/@t3ptech Telegram:  https://t.me/LearnDevOpsForFree Blog (for Roadmap & Quick Guide):  https://techyoutube.com/
Check full post »

6 FREE courses to learn AWS & AWS DevOps (Concepts + Hands-on + Interview)

-
Image
Here I am sharing 6 FREE courses to learn AWS & AWS DevOps practically, which can help you to start as a beginner and help you to learn conceptual and hands on learning. Along with it there is course to prepare DevOps Interview. So, without wasting time...just enroll & get started  1. Amazon Web Services (AWS) - Zero to Hero 2. AWS DevOps CI/CD - CodePipeline, Elastic Beanstalk and Mocha 3. DevOps on AWS: Code, Build, and Test (Course 1 of 3) 4. DevOps on AWS: Release and Deploy (Course 2 of 3) 5. DevOps on AWS: Operate and Monitor (Course 3 of 3) 6. Free Devops Interview Questions and Answers Bonus: Terraform - 8 Mini Courses for FREE AWS -7 FREE hands-on based courses to learn practically If you find this post helpful then you can connect with me for such quick contents: Youtube:  https://www.youtube.com/@t3ptech Telegram:  https://t.me/LearnDevOpsForFree Roadmaps, Projects & Quick Guides:  https://techyoutube.com/
Check full post »