Control: 2.6 Ensure Oracle Integration Cloud (OIC) access is restricted to allowed sources

Description

Oracle Integration (OIC) is a complete, secure, but lightweight integration solution that enables you to connect your applications in the cloud. It simplifies connectivity between your applications and connects both your applications that live in the cloud and your applications that still live on premises. Oracle Integration provides secure, enterprise- grade connectivity regardless of the applications you are connecting or where they reside. OIC instances are created within an Oracle managed secure private network with each having a public endpoint. The capability to configure ingress filtering of network traffic to protect your OIC instances from unauthorized network access is included. It is recommended that network access to your OIC instances be restricted to your approved corporate IP Addresses or Virtual Cloud Networks (VCN)s.

Remediation

1. Login to OCI Console.
2. Click in the search bar, top of the screen.
3. Type Advanced Resource Query and click enter.
4. Click the Advanced Resource Query button in the upper right of the screen.
5. Enter the following query in the query box:

query integrationinstance resources

6. For each OIC Instance returned click on the link under Display name.
7. Click on Network Access.
8. Ensure Restrict Network Access is selected and the IP Address/CIDR Block as well as Virtual Cloud Networks are correct.
9. Repeat for other subscribed regions.
10. For each OCI instance in the returned results, click the OCI Instance name.
11. Click Network Access.
12. Either edit the Network Access to be more restrictive.

From Command Line

1. Execute the following command:

for region in `oci iam region list | jq -r '.data[] | .name'`;
  do
  for compid in `oci iam compartment list --compartment-id-in-subtree TRUE 2>/dev/null | jq -r '.data[] | .id'`
    do
    output=`oci integration integration-instance list --compartment-
    id $compid --region $region --all 2>/dev/null | jq -r '.data[] | select(."network-endpoint-details"."network-endpoint-type" == null)'`
    if [ ! -z "$output" ]; then echo $output; fi
    done
  done

2. Ensure allowlisted-http-ips and allowed-http-vcns are correct
3. Get the json input format using the below command:

oci integration integration-instance change-network-endpoint --generate- param-json-input

4. For each of the OCI Instances identified get its details.
5. Update the Network Access, copy the network-endpoint-details element from the JSON returned by the above get call, edit it appropriately and use it in the following command

Oci integration integration-instance change-network-endpoint --id <oic- instance-id> --from-json '<network endpoints JSON>'