Oracle Cloud
Overview
Oracle Cloud tenancy onboarding enables customers to seamlessly connect their OCI tenancies to Upwind, providing centralized visibility, control, and protection across all compartments and resources. By leveraging the hierarchical structure of OCI tenancies and compartments, this integration streamlines resource management while safeguarding your cloud environment against misconfigurations and threats. The onboarding process simplifies integration by automating service principal creation, permissions assignment, and cloud scanner deployment.
Architecture
Oracle Cloud tenancy onboarding allows the integration of OCI tenancies with Upwind by provisioning service principals and granting necessary policies for discovery and security auditing, and deploying scanning infrastructure for comprehensive security coverage. This architecture supports centralized security visibility and management across all OCI compartments under the tenancy.
Connecting an OCI tenancy involves the following integration steps:
| Step | Description | Purpose |
|---|---|---|
| 1 | Create Service Principal and Group. This step involves creating a service principal within Oracle Cloud Identity Domain and adding it to a dedicated group. This service principal will be used for authentication and authorization to scan all compartments for misconfigurations, vulnerabilities, and exposed secrets. The service principal enables automatic provisioning and scanning without installing sensors. | Identity Setup |
| 2 | Configure Workload Identity Federation. Set up Workload Identity Federation to enable secure, credential-free authentication from Upwind's AWS environment to your Oracle Cloud tenancy. This eliminates the need to manage long-lived API keys while maintaining secure access. | Authentication |
| 3 | Create IAM Policies at Tenancy Level. Configure IAM policies that grant read-only access to the service principal group. These policies are applied at the tenancy level to ensure comprehensive visibility across all compartments and resources. | Permissions |
| 4 | Generate Credentials for Upwind. Generate client credentials to allow the OCI tenancy to authenticate with the Upwind Authorization Service and interact with Upwind APIs. This enables the tenancy to connect to Upwind and report scan results to the Upwind backend. | Upwind Connection |
| 5 | Deploy Cloud Scanners. Deploy Upwind Cloud Scanner infrastructure in your OCI tenancy. The scanners will continuously discover resources, identify misconfigurations, and detect security risks across your entire environment. | Scanner Deployment |
Integration
The integration method for onboarding OCI to Upwind is via Terraform infrastructure-as-code. oci CLI is also required to authenticate against the OCI tenancy and generate federation configuration.