lacework-global-661
Instance is running without required tags (Automated)
Description
Alert when a compute instance is running without required configured tags.
This policy checks for compute instances that do not have the default 'CreatedBy' and 'CreatedOn' defined tags within the 'Oracle-Tags' tag namespace.
To identify compute instances that do not have organization-specific required tags, you can use the following query as a template:
{
source {
LW_CFG_OCI_COMPUTE_INSTANCES
}
filter {
lower(RESOURCE_CONFIG:lifecycle_state) = 'running'
and not (RESOURCE_KEY in {
source {
LW_CFG_OCI_COMPUTE_INSTANCES
}
filter {
key_exists(RESOURCE_TAGS:definedTags.<required_tag_namespace>.<required_tag_key>)
and RESOURCE_TAGS:definedTags.<required_tag_namespace>.<required_tag_key> = <required_tag_value>
}
return distinct {
RESOURCE_KEY
}
})
}
return distinct {
COMPARTMENT_ID,
RESOURCE_KEY,
RESOURCE_REGION,
RESOURCE_TAGS,
RESOURCE_TYPE,
SERVICE,
'ComputeInstanceWithoutRequiredTags' as COMPLIANCE_FAILURE_REASON
}
}
If the expected required tags are free-form rather than defined, you can replace the following section from the template:
key_exists(RESOURCE_TAGS:definedTags.<required_tag_namespace>.<required_tag_key>)
and RESOURCE_TAGS:definedTags.<required_tag_namespace>.<required_tag_key> = '<required_tag_value>'
With this template:
key_exists(RESOURCE_TAGS:freeformTags.<required_tag_key>)
and RESOURCE_TAGS:freeformTags.<required_tag_key> = '<required_tag_value>'
If using this template, replace the values within and including the angled brackets with expected values.
Remediation
From Console:
- Login to the OCI Console.
- In the navigation menu, select Compute.
- Select Instances.
- Select the name of an instance.
- Select Add tags from the More actions drop-down list.
- Leave Tag namespace set to None and specify a key and value to add a free-form tag, or select a namespace from the Tag namespace drop-down list, select a key and specify a value to add a defined tag.
- Select Add tags.
From CLI:
To update free-form tags, execute the following command:
oci compute instance update --instance-id <instance_id> --freeform-tags '{"<tag_key>":"<tag_value>"}'
To update defined tags, execute the following command:
oci compute instance update --instance-id <instance_id> --defined-tags '{"<tag_namespace>": {"<defined_tag_key>":"<tag_value>"}}'
Updates to freeform-tags and defined-tags replace any existing values, so you must provide any existing tags you wish to keep as part of the update command.
References
https://docs.oracle.com/en-us/iaas/cloud-guard/using/detect-recipes.htm#detect-recipes-ref-config__INSTANCE_WITHOUT_REQUIRED_TAGS
https://docs.oracle.com/en-us/iaas/Content/Tagging/Concepts/taggingoverview.htm
https://docs.oracle.com/en-us/iaas/Content/Tagging/Concepts/understandingautomaticdefaulttags.htm
https://docs.oracle.com/en-us/iaas/Content/Tagging/Concepts/understandingfreeformtags.htm
https://docs.oracle.com/en-us/iaas/Content/Tagging/Tasks/managingtagsandtagnamespaces.htm
https://docs.oracle.com/en-us/iaas/Content/General/Concepts/resourcetags.htm
https://docs.oracle.com/en-us/iaas/tools/oci-cli/3.28.1/oci_cli_docs/cmdref/compute/instance/update.html