The following information is important to understanding how CloudSecure interacts with Oracle Cloud Infrastructure (OCI).
Oracle Cloud Stack
The Oracle Cloud Stack is a feature that allows you to automate the creation of multiple cloud resources as a single unit, called the stack. Oracle Cloud lets you use Terraform to create stacks and manage resources. CloudSecure makes use of this Stack feature to create the resources that are required to interact with Oracle cloud.
Oracle IAM User
A user is an identity created in OCI's Identity and Access Management (IAM) service that represents a person or an application that interacts with OCI services. Users allow for the authentication and authorization of individuals or entities to access and manage OCI resources in accordance with assigned permissions. API keys are created for a user, which can be used for API/SDK access over the resources in the OCI tenant.
CloudSecure creates a new user when the stack is created, and adds an API key to the user. This API key is be used in to communicate with OCI tenant, synchronize the resources, and read flows.
Oracle IAM Group
An Oracle IAM group is a collection of users. Groups allow you to efficiently manage access permissions for multiple users at once, rather than needing to manage permissions for each user individually. By assigning users to groups, you can apply policies to the group as a whole, granting or revoking privileges to all members of the group simultaneously.
CloudSecure creates an IAM group and adds the user to the group and write IAM policies.
Oracle IAM Policies
OCI's IAM policies specify who has what type of access to your OCI resources. They play a crucial role in securing your OCI environment by granting precise permissions to users and groups, determining how they can interact with OCI resources.
After creating the group, CloudSecure add the permissions mentioned in the Policies Required by Cloudsecure section to access the resources.
Required Policies
CloudSecure requires the following onboarding policies:
"Allow group <groupname> to inspect all-resources in tenancy",
"Allow group <groupname> to read network-security-groups in tenancy",
"Allow group <groupname> to read security-lists in tenancy",
"Allow group <groupname> to read serviceconnectors in tenancy",
"Allow group <groupname> to read load-balancers in tenancy",
CloudSecure requires the following flow policies:
"Allow group <groupname> to read objects in tenancy where all {target.bucket.name = '<bucket>', any{request.permission='OBJECT_INSPECT', request.permission='OBJECT_READ'}}"
CloudSecure IP Addresses for Flow Log Access
CloudSecure uses TCP port 443 to access your flow logs, so open that port for the IP addresses listed in this section.
CloudSecure Control Plane (For all OCI Regions)
The CloudSecure control and data plane uses the following public IP addresses to reach customer networks, so add them to your firewall inbound/outbound allowed list:
- 35.167.22.34
- 52.88.124.247
- 52.88.88.252
CloudSecure Data Plane (For all OCI Regions)
The CloudSecure data plane uses the following public IP addresses to reach customer networks, so add them to your firewall inbound allowed list for OCI.
- 13.57.69.111
- 52.8.11.104
- 52.8.120.46
Terraform-Created Resources
Terraform creates the following resources during onboarding:
- A group with the following name format <username>-group
- A policy document, adding it to the group
- A user, adding it to the group
- An API key with the public key appended to the script
During flow access enablement, Terraform creates a policy document allowing access to the destinations for the group created during onboarding.