Skip to main content

lacework-global-661

Instance is running without required tags (Automated)

Description

Alert when a compute instance is running without required configured tags.

This policy checks for compute instances that do not have the default 'CreatedBy' and 'CreatedOn' defined tags within the 'Oracle-Tags' tag namespace.

To identify compute instances that do not have organization-specific required tags, you can use the following query as a template:

{
    source {
        LW_CFG_OCI_COMPUTE_INSTANCES
    }
    filter {
        lower(RESOURCE_CONFIG:lifecycle_state) = 'running'
        and not (RESOURCE_KEY in {
            source {
                LW_CFG_OCI_COMPUTE_INSTANCES
            }
            filter {
                key_exists(RESOURCE_TAGS:definedTags.<required_tag_namespace>.<required_tag_key>)
                and RESOURCE_TAGS:definedTags.<required_tag_namespace>.<required_tag_key> = <required_tag_value>
            }
            return distinct {
                RESOURCE_KEY
            }
        })
    }
    return distinct {
        COMPARTMENT_ID,
        RESOURCE_KEY,
        RESOURCE_REGION,
        RESOURCE_TAGS,
        RESOURCE_TYPE,
        SERVICE,
        'ComputeInstanceWithoutRequiredTags' as COMPLIANCE_FAILURE_REASON
    }
}

If the expected required tags are free-form rather than defined, you can replace the following section from the template:

key_exists(RESOURCE_TAGS:definedTags.<required_tag_namespace>.<required_tag_key>)
and RESOURCE_TAGS:definedTags.<required_tag_namespace>.<required_tag_key> = '<required_tag_value>'

With this template:

key_exists(RESOURCE_TAGS:freeformTags.<required_tag_key>)
and RESOURCE_TAGS:freeformTags.<required_tag_key> = '<required_tag_value>'

If using this template, replace the values within and including the angled brackets with expected values.

Remediation

From Console:

  1. Login to the OCI Console.

  2. In the navigation menu, select Compute.

  3. Select Instances.

  4. Select the name of an instance.

  5. Select Add tags from the More actions drop-down list.

  6. Leave Tag namespace set to None and specify a key and value to add a free-form tag, or select a namespace from the Tag namespace drop-down list, select a key and specify a value to add a defined tag.

  7. Select Add tags.

From CLI:

To update free-form tags, execute the following command:

oci compute instance update --instance-id <instance_id> --freeform-tags '{"<tag_key>":"<tag_value>"}'

To update defined tags, execute the following command:

oci compute instance update --instance-id <instance_id> --defined-tags '{"<tag_namespace>": {"<defined_tag_key>":"<tag_value>"}}'
note

Updates to freeform-tags and defined-tags replace any existing values, so you must provide any existing tags you wish to keep as part of the update command.

References

https://docs.oracle.com/en-us/iaas/cloud-guard/using/detect-recipes.htm#detect-recipes-ref-config__INSTANCE_WITHOUT_REQUIRED_TAGS
https://docs.oracle.com/en-us/iaas/Content/Tagging/Concepts/taggingoverview.htm
https://docs.oracle.com/en-us/iaas/Content/Tagging/Concepts/understandingautomaticdefaulttags.htm
https://docs.oracle.com/en-us/iaas/Content/Tagging/Concepts/understandingfreeformtags.htm
https://docs.oracle.com/en-us/iaas/Content/Tagging/Tasks/managingtagsandtagnamespaces.htm
https://docs.oracle.com/en-us/iaas/Content/General/Concepts/resourcetags.htm
https://docs.oracle.com/en-us/iaas/tools/oci-cli/3.28.1/oci_cli_docs/cmdref/compute/instance/update.html

Last updated on