TABLE OF CONTENTS

OCI Account Connection Overview

Before Aqua CSPM can produce any security scan results, you must connect a cloud account. For Oracle Cloud, this is done through the use of a Service Account. A Service Account is an entity that can be assumed by a third party and secured to only access resources in a project. third party


Default Setup

Step 1: Navigate to the Cloud Accounts page.

  • Click Connect Account at the top right.

Step 2: Choose Oracle Cloud Infrastructure (OCI) under "Account Type" and Default Setup under "Method"

Step 3: Retrieve your tenancy OCID

  1. Log into your Oracle Cloud console and navigate to Governance & Administration. Under Account Management, click Tenancy Details.
  2. Click on Copy by your Tenancy OCID and paste it in the Aqua connection wizard.

Step 4: Create a User and API Signing Key

  1. Navigate to Identity & Security. Under Identity, click Domains.
  2. If not already selected, select the root Compartment.
  3. From the domains list, click the default domain. The domain Overview page is displayed.
  4. Select Settings. Uncheck 'Primary email address required' under User Settings and click Save Changes.
  5. Navigate back to the default domain page and select Users.
  6. Select Create User
  7. Uncheck 'Use the email address as the username'.
  8. Enter "Aqua API Access" in Last Name, then enter "aqua" in username.
  9. Click on Create.
  10. Copy the User OCID and paste it in the Aqua connection wizard.
  11. Follow the steps to Generate an API Signing Key listed on Oracle's Cloud Docs.
  12. Open the public key (oci_api_key_public.pem) in your preferred text editor and copy the plain text (everything).
  13. Under Resources, click on API Keys, then click on Add API Key. In the wizard, choose 'Paste a Public Key' and paste the key, then click on Add.
  14. Copy the public key fingerprint and paste it into the Aqua connection wizard.
  15. Open the private key (oci_api_key.pem) in your preferred text editor and paste it in the Aqua connection wizard.

Step 5: Create a policy and attach it to the User

  1. Navigate to the default domain page and select Groups.
  2. Select Create Group.
  3. Enter "SecurityAudit" in the Name field, then enter "Aqua Security Audit Access" in the description.
  4. Click on Create.
  5. Select the SecurityAudit group in the Groups List and Add the Aqua API User to the group.
  6. Navigate to Identity > Policies.
  7. Select Create Policy.
  8. Enter "SecurityAudit" in the Name field, then enter "Aqua Security Audit Policy" in the description.
  9. Click on the 'Show Manual Editor' button next to Policy Builder.
  10. Copy and paste the following statement:
    ALLOW GROUP SecurityAudit to READ all-resources in tenancy
  11. Click on Create.

Step 6: Retrieve your Compartment OCID

  1. Navigate to Identity > Compartments.
  2. Select the compartment to connect and then Click on Copy by your Compartment OCID and paste it in the Aqua connection wizard.

Step 7: Retrieve your Region Identifier

  1. Click on the region dropdown at the top and select Manage Regions.
  2. In the regions list page, select the value next to Region Identifier under your home region and  paste it in the Aqua connection wizard.



Troubleshooting


Please review the group name related the policy:


Group: cv-securityAudit
Policy: ALLOW GROUP cv-securityAudit to READ all-resources in tenancy